inteligr8/alfresco-ng2-components
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-ng2-components.git synced 2025-07-24 17:32:15 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
504c0b825a12d74013fe5610fc2bbd6bbf499906
alfresco-ng2-components/docs/core/services/auth-guard-sso-role.service.md
arditdomi 574db8d7cc [AAE-4985] - Make SSO Role Service accept a content admin role that is not part of the JWT token (#6942) 
* Add ability to check if the user is an ACS_ADMIN - not part of JTW token

* Make get user api call only once

* Add unit tests

* Add documentation

* Fix comments

* Exclude flaky tests, dependent on another test

* Fix unit test

* Fix comments

* Update documentation
2021-04-26 14:27:22 +01:00

2.5 KiB
Raw Blame History

Title, Added, Status, Last reviewed
Title Added Status Last reviewed
Auth Guard SSO Role service v3.1.0 Active 2019-03-19

Auth Guard SSO role service

Checks the user roles of a user.

Details

The Auth Guard SSO role service implements an Angular route guard to check the user has the right realms/client roles permission. This is typically used with the canActivate guard check in the route definition. The Auth Guard SSO is resposible to check if the JWT contains Realm roles (realm_access) or Client roles (resource_access) based on the route configuration.

Realms role Example

const appRoutes: Routes = [
    ...
    {
        path: 'examplepath',
        component: ExampleComponent,
        canActivate: [ AuthGuardSsoRoleService ],
        data: { roles: ['USER_ROLE1', 'USER_ROLE2']}
    },
    ...
]

If the user now clicks on a link or button that follows this route, they will be not able to access this content if they do not have the Realms roles.
Note: An additional role ALFRESCO_ADMINISTRATORS can be used in the roles array, which will result in checking whether the logged in user has Content Admin capabilities or not, as this role is not part of the JWT token it will call a Content API to determine it.

Client role Example

const appRoutes: Routes = [
    ...
    {
        path: ':examplepath',
        component: ExampleComponent,
        canActivate: [ AuthGuardSsoRoleService ],
        data: { clientRoles: ['examplepath'], roles: ['ACTIVITI_USER']},
    },
    ...
]

If the user now clicks on a link or button that follows this route, they will be not able to access this content if they do not have the Client roles.

Redirect over forbidden

If the you want to redirect the user to a page after a forbidden access, you can use the redirectUrl as in the example below:

const appRoutes: Routes = [
    ...
    {
        path: 'examplepath',
        component: ExampleComponent,
        canActivate: [ AuthGuardSsoRoleService ],
        data: { roles: ['ACTIVITI_USER'], redirectUrl: '/error/403'}
    },
    ...
]

Note: you can use this Guard in and with the other ADF auth guards.

See also