Getting Started with Role-Based Security in Your Mashups

We ship Presto Developer Edition with everything you need to get started immediately out-of-the box. For example, we ship with Tomcat for your convenience (although you can deploy to your favorite app server, if you choose)

When it comes to security, you can connect Presto to your existing LDAP in order to access your users and groups from within Presto.  But we ship with a simple internal user management database for your convenience out-of-the-box.  In this blog, I will provide an overview of a basic use case for using Role Based Access Control (RBAC) with Presto.

I hope this will be a good jumping off point for you to get started with Presto Developer Edition so you can start rapidly building secure Enterprise Mashups.  While I outline a simple example, the same approach can be used once you have integrated with your corporate LDAP or Single-Sign-On (SSO) solutions, as well.

Let's start with a simple use case.  I would like have two basic classes of users in my system: an adminstrative user and a basic user. The adminstrative user will have special privileges, such as being able to register services in Presto, to activate/de-activate services and mashups, and to delete services and mashups. The basic user should only be able to view services and mashups, but not be able to edit/activate/delete. The one exception to this rule is that I would like the owner of a particular mashup to also be able to edit, activate, and delete.

Okay, so let's get started. Here are the steps to accomplish this in Presto:

1. Enable Access Control in Presto Developer Edition

In order to enable access control in Presto, set the property "security.disableAclChecking" to "false".

To do so, go to the Admin Console and click on "Server Configuration".

Locate the "security.disableAclChecking" property. If the property value is set to "true", double click it and change it to "false".

After you have set the property, click the "Save Settings" button down below.

You have now enabled access control in Presto Developer Edition. 

2. Add a User

Also from Admin Console, if you click on "Manage Users" and then click on the "New User" button you can create a new user in the system. This user will serve as the "basic user" in our above scenario.

Note: If you were using your existing LDAP for user management, then you would use the associated tooling of that environment to add a user
 

3. Have this basic user view services in Presto

4. Attempt to de-activate or delete a mashup using this basic user

5. Attempt to activate (or delete) a mashup using the admin user

 Admin user is successfully able to activate the service, though the basic user could not.

What Next?  Get Mashing! If you want to continue experimenting with RBAC, you might want to try assigning the publisher role to your basic user and register a service in Service Explorer. Now that your basic user is the owner of this service, he or she will have added privs. Now try some of the above steps, including attempting to de-activate this service or delete it and you will see some different behvior based on the fact that your user is now the owner of this service.

Hope this brief introduction has helped you get started. As always, let us know your thoughts!