Security Customize

Security - Authentication & Authorization

Security Design

• RBAC (Role Based Access Control), with Roles to permission rules for CRUD Ops.

RBAC, Roles, Permissions, Users

• Default Roles & Users:

Role	Description
USER	User Role
ADMIN	Admin Role
SUADMIN	Super Admin Role

• SUADMIN Role, Will be used for adding users, roles and setting permissions.

• Default Users & Roles Assigned :

User	Roles Assigned
emUser	USER
emAdmin	USER, ADMIN
emSuAdmin	SUADMIN

• For Roles, EasyManage sets generic permissions for CRUD operations on all tables (objects), as per below:

• Roles Vs CRUD Ops Permissions

Role	Read	Create	Update	Delete
USER	✅	✅	✅	-
ADMIN		✅	✅	✅

Security - Backend Spring Java

Authentication & Authorization is provisioned or can be sought from third party authentication services.

Set/Enable In-built Authentication & Authorization via one of the methods below:

Out-Of-Box Available Methods

• Method A : Backend API Secure with Basic Auth [InMemoryUserDetails], Frontend to Backend secure calling.
  • Enable Security in Backend APIs. Set frontend to backend secure calling. No User Level Sign-In.
• Method B : Backend API Secure with Basic Auth [DatabaseBackedUserDetails], Frontend Secure
  • Enable Security in Backend APIs and Frontend. Get screens Splash, Sign-Up, Sign-In.
  • Backend: Authentication with a Database-backed UserDetailsService
• OAuth2 Keycloak Backend API Secure with OAuth2 and Keycloak Server
  • Backend API Secure with OAuth2 JWT (JSON Web Token)

Methods With Help of Templates

Methods Available with EasyManage Templates : Backend Templates

• Backend Spring Java Security With

  • Social (Google, Github, ...)

• Pease refer to Security section of Backend Templates

DIY Methods

• Method : (DIY) Secure with Firebase Auth, Backend API Secure, Frontend Secure
  • Enable Security in Backend APIs and Frontend via provider Firebase Auth.

Out-Of-Box Available Low-Code Methods: How To Use ?

Details are provided below for Methods A, B. Other methods are DIY (Do-It-Yourself).

Security - Backend Spring Java and Frontend Flutter

Method A : Backend and Frontend (Now No-Code)

(Note: Previously was Low-Code, Now it's Available as No-Code via Builder Studio Configuration)

Method A : Backend API Secure with Basic Auth [InMemoryUserDetails], Frontend to Backend secure calling.

• Enable Security in Backend APIs. Set frontend to backend secure calling. Get screens Splash, Sign-In.
• Handling of Authorizations as per Roles ROLE_USER, ROLE_ADMIN is done by backend APIs. Frontend will perform the action and show access error, if received from APIs.

Method B : Backend and Frontend Changes

Method B : Backend API Secure with Basic Auth [DatabaseBackedUserDetails], Frontend Secure

• Enable Security in Backend APIs and Frontend. Get screens Splash, Sign-In, Sign-Up.
• Backend: Authentication with a Database-backed UserDetailsService
• Handling of Authorizations as per Roles ROLE_USER, ROLE_ADMIN is done by backend APIs. Frontend will perform the action and show access error, if received from APIs.
• Display security related screens and e.g. Sign-In screen to validate login with User/Password. Sign-Up screen will create new User in database table. And also save on frontend side in local device storage, for API calling - it will set apiUsername, apiPassword from the local/stored Username/Password.

Low-Code - Changes

Pre-requisite: Generate code via Builder Studio Configuration : "Basic Auth [InMemoryUserDetails]" which correspond with Method A : Backend API Secure with Basic Auth [InMemoryUserDetails], then follow steps below.

Backend - Changes

Please use the Method B variation mentioned in backend changes.

Backend GraphQL APIs

To enable API security, Follow instructions in file EmDbGraphQLApp*\springGql\security\Readme_Security_Gql.txt

---------------------------------------------
    To enable Spring Security For GraphQL - Http Basic Auth
    Steps -
    1] pom.xml : Uncomment dependency spring-boot-starter-security
    2] Follow one of below Methods -
    

    Method A - Backend API Secure with *Basic Auth* [InMemoryUserDetails]

    COPY <this_dir>/basicAuthInMemoryUserDetailsGql To ../src/security/basicAuthInMemoryUserDetailsGql

    Method B - Backend API Secure with *Basic Auth* [DatabaseBackedUserDetails]
    
    COPY <this_dir>/basicAuthDbUserDetailsGql To ../src/security/basicAuthDbUserDetailsGql
    COPY <this_dir>../../EmDbRestApp*/spring/security/DbUserDetails To ../src/security/DbUserDetails
    Implement <this_dir>../../EmDbRestApp*/spring/security/sql/app_users.sql in your database.
        

    3] Uncomment Security Auth Annotations in *GraphqlController.java, against required Mutations 
       e.g. @PreAuthorize("hasRole('USER') or hasRole('ADMIN')")
       Also Uncomment imports required e.g.
        //import org.springframework.security.access.annotation.Secured;
        //import org.springframework.security.access.prepost.PreAuthorize;
    4] Clean and Re-build project
   ---------------------------------------------
    Note: Below annotations may have issues for using in spring graphql
    //@Secured({ "ADMIN" })
    //@RolesAllowed({ "USER","ADMIN" })
   ---------------------------------------------

Backend REST APIs

To enable API security, Follow instructions in file EmDbRestApp*\spring\security\Readme_Security.txt

---------------------------------------------
    To enable Spring Rest Security - Http Basic Auth
    Steps -
    1] pom.xml : Uncomment dependency spring-boot-starter-security
    2] Follow one of below Methods -
    

    Method A - Backend API Secure with *Basic Auth* [InMemoryUserDetails]

    COPY <this_dir>/basicAuthInMemoryUserDetails To ../src/security/basicAuthInMemoryUserDetails

    Method B - Backend API Secure with *Basic Auth* [DatabaseBackedUserDetails]
    
    COPY <this_dir>/basicAuthDbUserDetails To ../src/security/basicAuthDbUserDetails
    COPY <this_dir>/DbUserDetails To ../src/security/DbUserDetails
    Implement <this_dir>/sql/app_users.sql in your database.
        
    3] Security Authorization for api calls as per ROLE_USER, ROLE_ADMIN is implemented via antMatchers (in this file only).
    4] Clean and Re-build project
   ---------------------------------------------
    Note: Below annotations can also be used in spring controller methods, do import them as well
    //@Secured({ "ADMIN" })
    //@RolesAllowed({ "USER","ADMIN" })
   ---------------------------------------------

Frontend Flutter App Changes

Minor low-code customization is required to enable Sign-Up screen, rest all is taken care in generated code.

Open file em_app\lib\em_param.dart , and make below change,

From String emAppSecureType = 'BA'; //[BA|BASU|OA]

To: String emAppSecureType = 'BASU'; //[BA|BASU|OA]

Frontend Flutter Production Deployment: Password Caution

We keep low-code option of FE to BE secure calling without Frontend Sign-In screen - via set emApiCallSecure = true, if you need such a use case.

So password is hardcoded in em_param.dart

String emUsername = 'emAdmin'; //'emUser';  
String emPassword = 'emAdmin123'; //'emUser123';  

For Production Deployment of such use case:

caution

Including sensitive secrets in source code, is meant for development stage only. For production, use better way e.g. i) set emUsername, emPassword values via command line parameters, and ii) must use obfuscation
flutter build appbundle --dart-define="emPassword=emAdmin123" --obfuscate --split-debug-info=< dir >
set values from env in source
const emPassword = String.fromEnvironment("emPassword");

Security - Backend Express Node.js and Frontend Next.js React

Method A : Backend and Frontend Changes

Method A : Backend API Secure with Basic Auth [InMemoryUserDetails], Frontend to Backend secure calling.

• Enable Security in Backend APIs. Set frontend to backend secure calling.
• Handling of Authorizations as per Roles is not supported yet.
• Frontend will perform the action and show access error, if received from APIs.

Backend Express Node.js Changes

Implement via minor low-code customization.

Open file backend\express\emapi\.env, and

• set isApiSecureBasicAuth=Yes
• verify/edit apiUserName/apiPassword values also.

Re-build project and run.

Frontend Next.js React Changes

Implement via minor low-code customization to 2 files:

• .env - is Used For Client Components
• .env.local - is Used For Server Components

Open file frontend\nextjs\em_app\.env, and

• set NEXT_PUBLIC_isApiCallSecure=Yes
• verify/edit NEXT_PUBLIC_apiUsername/NEXT_PUBLIC_apiPassword values also. Open file frontend\nextjs\em_app\.env.local, and
• set isApiCallSecure=Yes
• verify/edit apiUsername/apiPassword values also.

Re-build project and run.