8.1:documentation:security

Security

API access requires the user to be authenticated, excluding a few public endpoints. We can divide the sign in into two parts:

  • authentication - the user proves his identity
  • authorization - the user has access to given resource

Authentication is realized through a request filterchain. The filters must always follow specified behavior:

  • if credentials are OK, continue to authorization
  • if credentials do not match, pass request to another filter in chain

In reality there is only one authentication servlet filter - AuthenticationFilter. Others filters are Spring beans implementing IdmAuthenticationFilter interface. An exception in filters is the ExtendExpirationFilter, which is another servlet filter handling the extension of expiration date of JWT tokens. This filter also controls possible exceptions in authentication flow.

User authorization is checked on the API endpoint layer and enforced by Spring Security. The permissions are a part of IdM JWT:

  • currentUsername - effective user's login
  • originalUsername - logged user's login
  • currentIdentityId - effective user's ID
  • originalIdentityId - logged user's ID
  • authorities - list of application permissions
  • exp - token expiration date
  • iat - issued at date

All IdM JWT tokens are signed using HMAC256 algorithm. The symmetric encryption key is configuration property of CzechIdM, stored as "idm.sec.security.jwt.secret.token". Default expiration time is 10 minutes.

Backend of CzechIdM supports immediate detection of user's authorization change. Each modification type is implemented as application event processor, for further details please check the source code and tests :) The information about last authority change is kept in IdmAuthorityChange entity. Types of modifications:

  • addition / removal of role, which carries application permissions
  • disabling the user
  • role's permissions change - revokes tokens of all users which have the role assigned