Granular Web UI Access/Authorisation - Vaadin 7, JBOSS 7.1.1

Question

I am using vaadin 7, and jboss 7.1.1. There is a business requirement for very granular ui access. There will be parent windows per business function, and in that window functions relative to it. Business requires enabling and disabling those functions within, per user, so as an example, a parent window that represents employees, and when you click that you enter the child window which has functions like editing, deleting, viewing, adding,etc etc but that access must be customized to the user using it, so user x can update but not delete, as an example.
So what i came up with was to store that information in the database. In the database there will be a users table with username and a user guid. Then a parentview table and and parentchildren table and then lastly a userview table. i will store in the userview table the users guid and either the view they have access to and what type of access as in read,write,update,etc... I will on the ui login authenticate against ldap, get the users information and guid and use the guid to pull the users view access from the userview table in the database and store it in the vaadin session, and then on the ui, read that from the session and show the correct access.

I am not sure if this is the best way which is why i am asking if my solution is ok? I have been reading lots of doc's around security but non seem to achieve what i want. Another point of keeping it in the db, is that i can create a user admin ui which can edit the users access simply by updating the db, i dont want to redeploy or do anything with the webserver, I would prefer a ui user access control module and for someone with rights to it to administer that access. I would really appreciate insight and some ideas into this.

Thanks guys, I would appreciate any input.

Answer 1

What you want to achieve, regardless of the environment you are in and technology you are using, is fine-grained access control / authorization.

The way to do that is to use authorization frameworks. Spring Security has one for instance. I'm not sure whether Vaadin comes with anything.

In our company we use Vaadin to develop a management portal and we then use XACML to apply fine-grained decisions to the portal such as which functions to enable for which users and even which items to display in a Vaadin table.

Generally speaking you want to look at the field of attribute-based access control (NIST ABAC). ABAC lets you define authorization constraints based on different factors/parameters such as user attributes (location, department, role...) and resource attributes (where the resource can be data, widgets, functions... You name it).

I actually delivered a webinar yesterday on the topic of fine-grained authorization for Java MVC apps. I think it could prove useful for you.

If you go down the XACML path, you do not need to create a custom database with the information inside as you have done. All you need to do is write authorization policies e.g. a user in purchasing can use the purchasing functions.

There are several open source XACML implementations as well as vendor solutions such as the one I work for, Axiomatics.

I hope this helps. I've also written a lengthier answer here which covers the broader field of authorization.