Permission Based Access Control with JWT

I would like to introduce permissions based access control in my Single Page Application (SPA) front-end which authenticates the user with token based authentication (JWT).

Permission Requirement:

In my SPA, each required (html) element is mapped to a permission and depending on the availability of the user permission, the element is shown or hidden. Multiple elements can be mapped to the same permission.

Number of permissions: ~100

The problem I need to solve is:

How to efficiently pass permissions that control view and access of specific front-end elements from backend to the SPA.

I am thinking about two possible approaches with different options on how to implement this:

Approach 1

It seems that in almost all guides and examples on permission based authentication, the permissions are included within the jwt token:

  1. User logs in the web app
  2. The user is authenticated and the server returns a jwt token to the SPA.

    Option A

    The jwt token will contain one claim per permission.

    Option B

    The jwt token will contain one claim that will have as a value all user permissions comma separated or structured.

  3. The SPA parses the jwt token and gets the permissions.

Approach 2

The above solution does not sound efficient from a network traffic perspective so here is the second approach:

  1. User logs in the web app
  2. The user is authenticated and the server returns a jwt token to the SPA.
  3. As soon as the jwt is retrieved successfully, the client requests the permissions of the user in a separate request.
  4. Once the permissions are retrieved, they are cached in the browser session.

Questions:

  • Are JWT claims well suited for passing users permissions?
  • Wouldn’t 100 claims be a large size to be passed around in a token?
  • Do you see any issues with the second approach except from the drawback of having to validate the cache if the user permissions change?

Problema para enviar datos de mysql a control select en jsp usando servlet

Estimados, Estoy intentando enviar los datos de una consulta sql a un control select de html usando jsp y servlet y ajax, el problema que al enviar los datos por ajax, no me trae el combo box con los datos y la consola tampoco me arroja error, solo me dice conexión exitosa y grave.

Tengo una consulta sql que muestra unos datos a travez de un parametro en la clase FoliosDao. el parametro es el rut, a traves de dicho parametro obtengo los datos de mysql. En el servlet llamo a la clase FoliosDao para acceder al metodo y asi tomar los datos. el parametro lo envio desde el formulario jsp utilizando ajax. Al presionar el botón , el sistema no muestra el resultado, y tampoco me muestra errores en la consola y tampoco en netbeans. por favor su ayuda.

introducir la descripción de la imagen aquí

Aquí dejo el código.

Función ajax

<script>   function mostrarFoliosReporteFoliosAjax() {     var rutUserAjax= $  ("#rutUsuarioAjax").val();               $  .ajax({             url:"reporteFoliosVerFoliosAjaxServlet.do",             data:{                 rutUserJS : rutUserAjax             },             success: function( result ) {             $  ("#listaFoliosPorRut").html( result);             }      }); }  </script> 

Formulario con botón

<form method="POST">                                             <table>                                                 <tr>                                                     <th>Rut :</th>                                                     <td>                                                         <div class="container-fluid" id="idRutComp">                                                             <input type="text" class="form-control" id="rutUsuarioAjax">                                                         </div>                                                      </td>                                                      <td><div class="container-fluid">                                                              <button type="button" class="btn btn-primary" onclick="mostrarFoliosReporteFoliosAjax()"><span class="glyphicon glyphicon-cog"></span>Generar</button>                                                          </div>                                                     </td>                                                 </tr>                                             </table>                                              <hr>                                              </form> 

Contenedor div donde debería mostrase el resultado

<div  id="listaFoliosPorRut"></div> 

Clase Servlet

    protected void processRequest(HttpServletRequest request, HttpServletResponse response)         throws ServletException, IOException, SQLException {     response.setContentType("text/html;charset=UTF-8");       Folio fl=new Folio();     Usuario rutUs = new Usuario();      FoliosDao fodao=new FoliosDao();  try  {      Connection conn = ConexionMysqlCargomove_db.getInstance().getConnection();     rutUs.setRutPersona(request.getParameter("rutUserJS"));      ResultSet res=(ResultSet)fodao.listarFoliosReporteReservasPorRut(rutUs);     ArrayList<Folio> numeroFolio = new ArrayList<Folio>();      if(res==null)     {         String error="No se encontraron datos";         request.getSession().setAttribute("error", error);      }      else     {              while(res.next())             {                 numeroFolio.add(new Folio(res.getInt("cod_seq_awb"),res.getString("awb")));             }             request.getSession().setAttribute("numeroFolio", numeroFolio);             ArrayList<Folio> foli = (ArrayList<Folio>)request.getSession().getAttribute("numeroFolio");             PrintWriter out = response.getWriter();                    try {                               /* TODO output your page here. You may use following sample code. */             out.println("<!DOCTYPE html>");                             out.println("<html>");                             out.println("<head>");                                      out.println("</head>");                             out.println("<body>");                               out.println("<select class='form-control' name='txt_awbs'>");                             out.println("<option>Seleccione Folio</option>");                             for(int i=0; i<foli.size(); i++)                             {                                 out.println("<option>"+foli.get(i).getNumeroFolioCompleto()+"</option>");                                 //System.out.println("NumeroFolio:"+numeroFolio.get(i).getNumeroFolioCompleto());                                                                     System.out.println("Numero de Folio :"+foli.get(i).getNumeroFolioCompleto());                             }                               out.println("</select>");                             out.println("</body>");                             out.println("</html>");                      } finally {                     out.close();                 }         }  } catch(java.lang.NullPointerException ex)     {             ex.getMessage();     } } 

Clase metodo de clases FoliosDao

    public ResultSet listarFoliosReporteReservasPorRut(Usuario usr) {     try {         Connection conn=ConexionMysqlCargomove_db.getInstance().getConnection();         st=(Statement)conn.createStatement();         String SQL="";          SQL="select a.cod_seq_awb,a.awb from awb a, rvas r\n" +             "where a.cod_seq_awb=r.awb_cod_seq_awb"                 + "and r.rut_cliente='"+usr.getRutPersona()+"';";         res=st.executeQuery(SQL);       } catch (SQLException ex) {         java.util.logging.Logger.getLogger(FoliosDao.class.getName()).log(Level.SEVERE, null, ex.getStackTrace());     }     return res; } 

introducir la descripción de la imagen aquí

introducir la descripción de la imagen aquí

Por favor su ayuda.

Moving application control flow from NiFi to code

We currently have an application that is nominally written in Java/Spring boot, but all of the control flow is in NiFi.

For example, there are the following layers in the java application:

  • Controllers take an object and return a service call (literally 2 lines)
  • Services pass data to a transformer
  • Transformers pass data to a converter
  • Converters call some API usually (external) and then convert the return object in a response object that goes all the way up the stack to the caller

In the NiFi side, there are a number of process groups that poll various databases, and then feed a huge network of other processors (many are custom .nars). All of the control flow is here (i.e. if an object like this has already be processed, do one thing, else do something else) and while its not very complicated, there is a lot if (all control flow lives here or in the database).

We want to move away from this model of development because it makes it extremely difficult to tell a user when something is actually done (as opposed to what we do now, which is return a 200 when it hits NiFi) and exceptions are very difficult to propagate.

How can we approach this? For scale, we probably have hundreds if not thousands of process groups in NiFi.

Are Verification and Validation both Quality Assurance and Quality Control? [on hold]

Having read a book I found a note that verification and validation can be both quality assurance and quality control. I cannot see how it can be quality assurance because both just provide evidence whether or not the product meets its use, requirements etc., which is quality control.
IMHO V&V cannot assure quality, they only asnwers the question “does it work?”, “is it correct?.

Are exceptions as control flow considered a serious antipattern? If so, Why?

Back in the late 90’s I worked quite a bit with a code base that used exceptions as flow control. It implemented a finite state machine to drive telephony applications. Lately I am reminded of those days because I’ve been doing MVC web apps.

They both have Controllers that decide where to go next and supply the data to the destination logic. User actions from the domain of an old-school telephone, like DTMF tones, became parameters to action methods, but instead of returning something like a ViewResult, they threw a StateTransitionException.

I think the main difference was that action methods were void functions. I don’t remember all the things I did with this fact but I’ve been hesitant to even go down the road of remembering much because since that job, like 15 years ago, I never saw this in production code at any other job. I assumed this was a sign that it was a so-called anti-pattern.

Is this the case, and if so, why?

Update: when I asked the question, I already had @MasonWheeler’s answer in mind so I went with the answer that added to my knowledge the most. I think his is a sound answer as well.

Is access control list blocking me and how do I disable it?

I have a partition that was handed to me for examination and can mount it in Ubuntu 19.04. However there are a number of directories where a period is appended to the end of the permissions in the directory listing. I found where this indicates that ACL (Access Control) is active.

If I enter, “ls -al” the following message is displayed:

foghorn-leghorn@foghornleghorn-Precision-M4800:/image$   ls -al special_parts ls: cannot open directory 'special_parts': Permission denied 

Permissions have been set to ‘444’ and SE Linux is not enabled in Ubuntu. This has been verified by entering ‘sestatus’.

foghorn-leghorn@foghornleghorn-Precision-M4800:/image$   sestatus SELinux status:                 disabled 

and checking the directory entry for permissions.

dr--r--r--   26 foghorn-leghorn foghorn-leghorn  4096 Jun 27 14:27 special_parts 

Using the ‘ls -lZ’ command to check for ACL entries reveals they are in use.

drwx--x--x.   3 foghorn-leghorn foghorn-leghorn u:object_r:customer_data_file:s         4096 Jun 27 14:27 user_die  dr--r--r--   29 foghorn-leghorn foghorn-leghorn u:object_r:customer_data_file:s         4096 Jun 27 14:27 special_parts drwxrwx--x.   3 root            root            u:object_r:customer_data_file:s         4096 Jun 29 14:29 special_parts_cie drwxrwx--x.   3 root            root            u:object_r:customer_data_file:s         4096 Jun 29 14:27 special_parts_die 

I tried removing the ACL references using:

setfacl -b customer_parts

Still I cannot display the directory listing. Rechecking the status of ACL on the directory revealed a restriction seems to still be listed but is now labeled “?”.

drwx--x--x.   3 foghorn-leghorn foghorn-leghorn u:object_r:system_data_file:s0         4096 Jun 27 14:27 user_die dr--r--r--   26 foghorn-leghorn foghorn-leghorn ?                                      4096 Jun 27 14:27 special_parts drwxrwx--x.   3 root            root            u:object_r:customer_data_file:s0         4096 Jun 27 14:29 special_parts_cie drwxrwx--x.   3 root            root            u:object_r:customer_data_file:s0         4096 Jun 27 14:27 special_parts_die 

Any ideas on how to remove the ACL references in the file and display the directory?

Is the control bus “measured” in the number of bits it have?

In the system bus, the data bus and the address bus are “measured” in the number of bits that they have, for example we may say that the data bus is 32-bit and the address bus is 32-bit for some CPU model.

But do we “measure” the control bus in the same way, for example do we say that the control bus is 32-bit for some CPU model, or is the control bus a special case?