Example: Update the security store
The following examples use the SecurityControl feature in the Diffusion™ API to update the security store.
JavaScript
Note: Only steps 2 and 3 deal with the security store.
// Session security allows you to change the principal that a session is authenticated as. It also allows users to // query and update server-side security and authentication stores, which control users, roles and permissions. // This enables you to manage the capabilities that any logged in user will have access to. // Connect to Diffusion with control client credentials diffusion.connect({ host : 'diffusion.example.com', port : 443, secure : true, principal : 'control', credentials : 'password' }).then(function(session) { // 1. A session change their principal by re-authenticating session.security.changePrincipal('admin', 'password').then(function() { console.log('Authenticated as admin'); }); // 2. The security configuration provides details about roles and their assigned permissions session.security.getSecurityConfiguration().then(function(config) { console.log('Roles for anonymous sessions: ', config.anonymous); console.log('Roles for named sessions: ', config.named); console.log('Available roles: ', config.roles); }, function(error) { console.log('Unable to fetch security configuration', error); }); // 3. Changes to the security configuration are done with a SecurityScriptBuilder var securityScriptBuilder = session.security.securityScriptBuilder(); // Set the permissions for a particular role - global and topic-scoped // Each method on a script builder returns a new builder var setPermissionScript = securityScriptBuilder.setGlobalPermissions('SUPERUSER', ['REGISTER_HANDLER']) .setTopicPermissions('SUPERUSER', '/foo', ['UPDATE_TOPIC']) .build(); // Update the server-side store with the generated script session.security.updateSecurityStore(setPermissionScript).then(function() { console.log('Security configuration updated successfully'); }, function(error) { console.log('Failed to update security configuration: ', error); }); // 4. The system authentication configuration lists all users & roles session.security.getSystemAuthenticationConfiguration().then(function(config) { console.log('System principals: ', config.principals); console.log('Anonymous sessions: ', config.anonymous); }, function(error) { console.log('Unable to fetch system authentication configuration', error); }); // 5. Changes to the system authentication config are done with a SystemAuthenticationScriptBuilder var authenticationScriptBuilder = session.security.authenticationScriptBuilder(); // Add a new user and set password & roles. var addUserScript = authenticationScriptBuilder.addPrincipal('Superman', 'correcthorsebatterystapler') .assignRoles('Superman', ['SUPERUSER']) .build(); // Update the system authentication store session.security.updateAuthenticationStore(addUserScript).then(function() { console.log('Updated system authentication config'); }, function(error) { console.log('Failed to update system authentication: ', error); }); });
Java and Android
package com.pushtechnology.diffusion.examples; import java.util.Collections; import java.util.Map; import java.util.Set; import java.util.TreeSet; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import com.pushtechnology.diffusion.client.Diffusion; import com.pushtechnology.diffusion.client.callbacks.ErrorReason; import com.pushtechnology.diffusion.client.features.control.clients.SecurityControl; import com.pushtechnology.diffusion.client.features.control.clients.SecurityControl.ConfigurationCallback; import com.pushtechnology.diffusion.client.features.control.clients.SecurityControl.Role; import com.pushtechnology.diffusion.client.features.control.clients.SecurityControl.ScriptBuilder; import com.pushtechnology.diffusion.client.features.control.clients.SecurityControl.SecurityConfiguration; import com.pushtechnology.diffusion.client.features.control.clients.SecurityStoreFeature.UpdateStoreCallback; import com.pushtechnology.diffusion.client.session.Session; import com.pushtechnology.diffusion.client.types.GlobalPermission; import com.pushtechnology.diffusion.client.types.TopicPermission; /** * An example of using a control client to alter the security configuration. * <P> * This uses the {@link SecurityControl} feature only. * * @author Push Technology Limited * @since 5.3 */ public class ControlClientChangingSecurity { private static final Logger LOG = LoggerFactory.getLogger( ControlClientChangingSecurity.class); private final SecurityControl securityControl; /** * Constructor. */ public ControlClientChangingSecurity() { final Session session = Diffusion.sessions() // Authenticate with a user that has the VIEW_SECURITY and // MODIFY_SECURITY permissions. .principal("admin").password("password") // Use a secure channel because we're transferring sensitive // information. .open("wss://diffusion.example.com:80"); securityControl = session.feature(SecurityControl.class); } /** * This will update the security store to ensure that all roles start with a * capital letter (note that this does not address changing the use of the * roles in the system authentication store). * * @param callback result callback */ public void capitalizeRoles(UpdateStoreCallback callback) { securityControl.getSecurity(new CapitalizeRoles(callback)); } private final class CapitalizeRoles implements ConfigurationCallback { private final UpdateStoreCallback callback; CapitalizeRoles(UpdateStoreCallback callback) { this.callback = callback; } @Override public void onReply(SecurityConfiguration configuration) { ScriptBuilder builder = securityControl.scriptBuilder(); builder = builder.setRolesForAnonymousSessions( capitalize(configuration.getRolesForAnonymousSessions())); builder = builder.setRolesForNamedSessions( capitalize(configuration.getRolesForNamedSessions())); for (Role role : configuration.getRoles()) { final String oldName = role.getName(); final String newName = capitalize(oldName); // Only if new name is different if (!oldName.equals(newName)) { // Global Permissions final Set<GlobalPermission> globalPermissions = role.getGlobalPermissions(); if (!globalPermissions.isEmpty()) { // Remove global permissions for old role builder = builder.setGlobalPermissions( oldName, Collections.<GlobalPermission>emptySet()); // Set global permissions for new role builder = builder.setGlobalPermissions( newName, role.getGlobalPermissions()); } final Set<TopicPermission> defaultTopicPermissions = role.getDefaultTopicPermissions(); if (!defaultTopicPermissions.isEmpty()) { // Remove default topic permissions for old role builder = builder.setDefaultTopicPermissions( oldName, Collections.<TopicPermission>emptySet()); // Set default topic permissions for new role builder = builder.setDefaultTopicPermissions( newName, role.getDefaultTopicPermissions()); } final Map<String, Set<TopicPermission>> topicPermissions = role.getTopicPermissions(); if (!topicPermissions.isEmpty()) { for (Map.Entry<String, Set<TopicPermission>> entry : topicPermissions .entrySet()) { final String topicPath = entry.getKey(); // Remove old topic permissions builder = builder.removeTopicPermissions( oldName, topicPath); // Set new topic permissions builder = builder.setTopicPermissions( newName, topicPath, entry.getValue()); } } } final Set<String> oldIncludedRoles = role.getIncludedRoles(); if (!oldIncludedRoles.isEmpty()) { if (!oldName.equals(newName)) { // Remove old included roles builder = builder.setRoleIncludes( oldName, Collections.<String>emptySet()); } // This is done even if role name did not change as it is // possible that roles included may have final Set<String> newIncludedRoles = capitalize(oldIncludedRoles); builder = builder.setRoleIncludes( newName, newIncludedRoles); } } final String script = builder.script(); LOG.info( "Sending the following script to the server:\n{}", script); securityControl.updateStore( script, callback); } private Set<String> capitalize(Set<String> roles) { final Set<String> newSet = new TreeSet<>(); for (String role : roles) { newSet.add(capitalize(role)); } return newSet; } private String capitalize(String role) { return Character.toUpperCase(role.charAt(0)) + role.substring(1); } @Override public void onError(ErrorReason errorReason) { // This might fail if the session lacks the required permissions. callback.onError(errorReason); } } /** * Close the session. */ public void close() { securityControl.getSession().close(); } }
.NET
Change the URL from that provided in the example to the URL of Diffusion Cloud. Diffusion Cloud service URLs end in diffusion.cloud
This page last modified: 2019/11/22