Google Git
Sign in
apache / directory-fortress-enmasse / 8c378295ecdb314f25b032b85361c92466a36731^! / .
commit8c378295ecdb314f25b032b85361c92466a36731[log] [tgz]
authorShawn McKinney <smckinney@apache.org>Wed Apr 24 10:34:39 2019 -0500
committerShawn McKinney <smckinney@apache.org>Wed Apr 24 10:34:39 2019 -0500
tree3b789336fea240fbd5ba87e2fe95de965f92c1bd
parent11b8ce4428a87a9da94cfddaba6a8ecdebeba133 [diff]
describe the policy load files

diff --git a/README-SECURITY-MODEL.md b/README-SECURITY-MODEL.md
index c05180a..f8660d5 100644
--- a/README-SECURITY-MODEL.md
+++ b/README-SECURITY-MODEL.md

@@ -134,28 +134,30 @@
  created by the security policy in this project, that are excluded from this type of check:
  **fortress-rest-admin** and **fortress-core-super-admin**. 
 
- Which means they won't have to pass the role range test.  All others use the range field to define authority over a particular set of roles, in a hierarchical structure. 
-                                         
+ Which means they won't have to pass the role range test.  All others use the range field to define authority over a particular set of roles, in a hierarchical structure.
 
-## 5. Java EE security and Apache CXF SimpleAuthorizingInterceptor policy load
+## 5. Java EE security and Apache CXF *SimpleAuthorizingInterceptor* policy load
 
  a. The policy load file in this section performs the following:
-  * Create Java EE security role, *fortress-rest-user*, assigned users past the Java EE security role check described earlier.
-  * Create the roles needed to pass corresponding Apache CXF **SimpleAuthorizingInterceptor** checks described earlier.
-  * For example...
-  * Users assigned to *fortress-rest-admin-user* have access to all of the RBAC admin services.
-  * "        "        *fortress-rest-review-user* have access to all the RBAC review services.
-  * "        "        *fortress-rest-deladmin-user* have access to all the ARBAC admin services.
-  * etc...
-  * So a user would have to be assigned the *fortress-rest-user* and the particular interceptor role to successfully execute one of the rest services.
-  * The *fortress-rest-power-user*, inherits all of the others, making it very powerful. A user assigned this role has access to all services.
+  * Creates a RBAC role, *fortress-rest-user* that is needed to pass the Java EE security check described earlier. See [web.xml](src/main/webapp/WEB-INF/web.xml).
+  * Create the roles for corresponding Apache CXF **SimpleAuthorizingInterceptor** checks, also described earlier.
+    * For example...
+    * Users assigned to *fortress-rest-admin-user* have access to every RBAC admin service.
+    * "        "        *fortress-rest-review-user* have access to every RBAC review services.
+    * "        "        *fortress-rest-deladmin-user* have access to every ARBAC admin services.
+    * etc...
+  * Create an RBAC Role, *fortress-rest-power-user*, and make it the child of every other RBAC role.
+    * Users assigned to this role have access to every service.
+  * Create a test user, *demoUser4*, assign to *fortress-rest-power-user* RBAC role.
 
- b. To load [FortressRestServerPolicy](./src/main/resources/FortressRestServerPolicy.xml) into LDAP:
+ b. Execute the policy load [FortressRestServerPolicy](./src/main/resources/FortressRestServerPolicy.xml) into LDAP:
 
  ```maven
  mvn install -Dload.file=src/main/resources/FortressRestServerPolicy.xml
  ```
 
+ c. Now demoUser4 should be able to execute every service and pass the JavaEE and Apache CXF interceptor checks.
+
 ## 6. ARBAC policy load
 
  a. The ARBAC policies are enforced when the following property is present in runtime *fortress.properties*:
@@ -185,14 +187,14 @@
       T6UOrg3,T6UOrg4,T6UOrg5,T6UOrg6,T6UOrg7,T7UOrg1,T7UOrg2,
       T7UOrg3,T7UOrg4,T7UOrg5,T7UOrg6,T7UOrg7"
  ```
- Note: These Perm and User OUs are a prerequisite to the subsequent load script successfully running.
- They get created during Apache Fortress Core during integration testing.  That means the completion of those tests are a prerequisite to importing this data.
+ Note: These Perm and User OUs must be created prior to this sections's ARBAC sample load script being run.
+ Those OUs are created during Apache Fortress Core integration testing inside the class named *FortressJUnitTest*.
 
- c. Next the policy load scripts performs the following:
+ c. Next the policy load script performs the following:
 
  * Creates the Administrative Permissions that correspond with every Apache Fortress Rest service in this system.
  * Grants the Admin Perms to the Admin Role *fortress-rest-admin*.
- * Assigns role *fortress-rest-admin* to User *demoUser4*.
+ * Assigns the Admin Role *fortress-rest-admin* to the test User *demoUser4*.
    * Users who have been granted this role, like *demoUser4*, may call every Apache Fortress Rest service in this syteem and pass the ARBAC02 perm checks.
    * Assigned users will pass the ARBAC02 organizational checks for (only) the data contained within the Apache Fortress core junit tests.
    * Assigned users will pass *all* of the ARBAC02 role range checks.