Access to add and change pages is restricted. See: https://cwiki.apache.org/confluence/display/OFBIZ/Wiki+access

Security

This is a draft document - it can be changed at any time by anyone.

Overview

The application framework will use Apache Shiro for authentication and authorization. The configuration file will allow a user to select and configure a Realm. In addition to Shiro's Realm choices, the Realm choices will include "Native" - a custom Realm implementation that uses the entity engine for persistence.

Authorization will be built into the various foundation artifacts in such a way that access control can be externalized (managed outside the framework) - as proposed in the Security Redesign document.

Design Goals

  • Easy integration with existing authentication and authorization infrastructure.
  • Leverage external library - use very little custom code.
  • Thread-safe.

Basic Architecture

  • Library: Apache Shiro, OFBiz extensions
  • Java package name: org.apache.ofbiz.foundation.security
  • No labels

2 Comments

  1. Ron Wheeler

    Should also handle authentication from SAML and other SSO systems such as OKTA.
    Should also handle login through Google+, Facebook, LinkedIn and Twitter.

  2. Sharan Foga

    Based on the comments / discussions in under the Actor Management section I’m going to try and summarise a few things here. 

    So at the moment under this security section do we need at least 2 ‘actors’ – the security principal and an application user (are there any more?).

    For each of these we would need to probably check they are valid (e.g username, login name etc) , and that their passwords or whatever they use to login with are valid. We also would probably need to give them access to whatever they are requesting access to. Is that along the lines of the type of information we are wanting to define here and is it generic enough for what we are trying to achieve?