Professional Documents
Culture Documents
Open in app
Atul Dewangan
13 Followers About Follow
https://atuldewangan.medium.com/role-based-access-control-rbac-476452806518 1/5
12/13/21, 2:20 PM Role-Based Access Control (RBAC). Role-Based Access Control (RBAC) | by Atul Dewangan | Medium
The aim is to assign a user specific role depending upon which it will have permissions
to access API request assigned to the particular role. Few highlights from above example.
USER2 has role of Finance Manager which has privileges of Invoices and
Deliveries, so has access to all API request of Invoices and Deliveries.
USER3 has role of Catalogue Associate and Finance Manager which has privileges
of Products Read/Write, Prices Read/Write, Invoices and Deliveries has access
to resources under all the privileges.
USER4 has admin who has all the privileges which gives it access to all resources.
Implementation architecture
We will be introducing an API gateway which will be calling the Authorization
framework. This Authorization framework will get the user form JWT token and get the
access control for the role assigned to the user, based on the role assigned to the user it
will allow/disallow the access of user to the resource before calling actual service.
Authorization framework will be using Apache Shiro.
https://atuldewangan.medium.com/role-based-access-control-rbac-476452806518 2/5
12/13/21, 2:20 PM Role-Based Access Control (RBAC). Role-Based Access Control (RBAC) | by Atul Dewangan | Medium
Subject : A security-specific ‘view’ of the entity (user) currently interacting with the
software.
https://atuldewangan.medium.com/role-based-access-control-rbac-476452806518 3/5
12/13/21, 2:20 PM Role-Based Access Control (RBAC). Role-Based Access Control (RBAC) | by Atul Dewangan | Medium
Realms : Realms act as the ‘bridge’ or ‘connector’ between Shiro and your
application’s security data. When it comes time to actually interact with security-
related data like user accounts to perform authentication (login) and authorization
https://atuldewangan.medium.com/role-based-access-control-rbac-476452806518 4/5
12/13/21, 2:20 PM Role-Based Access Control (RBAC). Role-Based Access Control (RBAC) | by Atul Dewangan | Medium
(access control), Shiro looks up many of these things from one or more Realms
configured for an application. In this sense a Realm is essentially a security-specific
DAO: it encapsulates connection details for data sources and makes the associated
data available to Shiro as needed. When configuring Shiro, you must specify at least
one Realm to use for authentication and/or authorization. The SecurityManager
may be configured with multiple Realms, but at least one is required.
A Realm is a component that can access application-specific security data such as users,
roles and permissions. The Realm translates this application-specific data into a format
that Shiro understands so Shiro can in turn provide a single easy-to-understand subject
programming API no matter how many data sources exist or how application-specific
your data might be.
Realms usually have a 1-to-1 correlation with a data source such as a relational
database, LDAP directory, file system, or other similar resource. As such,
implementations of the Realm interface use data source-specific APIs to discover
authorization data (roles, permissions, etc), such as JDBC, File IO, Hibernate or JPA, or
any other Data Access API.
https://atuldewangan.medium.com/role-based-access-control-rbac-476452806518 5/5