Security Model on Axiom Stack Open Source Rapid Development Web Framework

1Overview
2Secure by Default
3Security.Properties
4isAllowed() & isAllowedDefault()
5An Example
6User Functions

Overview

The security model uses a few systems. The key, and most important, piece to the security model is that it is "Secure by Default". The only action that is available by default toAnyoneismain.

The security model allows for someone to access the system based on some roles or by overriding the security using a predefined function.

Also, the security system uses inheritance. Meaning, that if my parent'smainmethod is only allowed toAuthorizedusers, then my methods are only allowed toAuthorizedusers.

Secure by Default

This means that nobody can access a method from its URL without it being defined in thesecurity.propertiesfile. Therefore you will receive an unauthorized error when you attempt to access something that is "Secure by Default".

Security.Properties

Please familiarize yourself withsecurity.properties.

This file is defined on a per prototype basis. This means that you must create a security.properties file in each prototype directory you create to allow actions other than main to be accessible or to disallow access to the main method of that prototype.

isAllowed() & isAllowedDefault()

A brief API is available at:

isAllowed() -AxiomObject#AxiomObject.isAllowed.28.29
isAllowedDefault() -AxiomObject#AxiomObject.isAllowedDefault.28.29

To use this function you must use the API described above. What this does is take an action for the currentAxiomObjectand allows you to process security based on that action. What this means is that you could apply a property likemembers_onlyto a prototype and then allow dynamic security to happen for that action.

One thing to keep a note of is that if you have an isAllowed function specified on your prototype if will be called before the security.properties is looked at, therefore if you return false then every action will be disallowed, and visa versa.

The isAllowedDefault function is a listing of what you have specified in your security.properties file. When you call isAllowedDefault with an action and an object listing to override the security.properties file, those settings will take precidence but only for that instance of the object and only while in that request.

An Example

// An example from one site we've built.
function isAllowed(action) {
    if (this.membersOnly && typeof this.membersOnly == "function" && this.membersOnly()) {
	return this.isAllowedDefault(action, {'main':'@Authenticated'});
    }
    return this.isAllowedDefault(action, {});
}

this.membersOnly = function() {
    if (this == root || this.getAncestor('ContentManagementSystem')) { return false; }
    if (this._prototype == 'HomePage' && !this.members_only) { return false; }
    if (this.members_only) { return true; }
    if (!(this._parent && this._parent.membersOnly)) { return false; }
    //recurse and check parent based members_only
    return this._parent.membersOnly();
}

User Functions

To allow for some of this to happen there needed to be a set API on your user objects so that the security model will work. The functions that need to be available on any objects you store in the session are:

getUsername()

Get the username of the user.

Synopsis

getUsername()

Arguments

none

Returns

string-username as a string

getRoles()

Roles available on a user.

Synopsis

getRoles()

Arguments

none

Returns

Array<String>- Roles as an array.

hasRole()

See if the current user has the role specified.

Synopsis

hasRole(role)

Arguments

string- Role to check.

Security Model - Axiom

Contents

Overview

Secure by Default

Security.Properties

isAllowed() & isAllowedDefault()

An Example

User Functions

getUsername()

getRoles()

hasRole()