Authentication and authorization - seqcode/pegr GitHub Wiki

PEGR leverages Spring Security to control the access to the application. Spring Security is a framework that provides authentication, authorization and other security features for enterprise applications. For authentication, PEGR uses four mechanisms: "daoAuthenticationProvider", "preAuthenticatedAuthenticationProvider", "anonymousAuthenticationProvider" and "rememberMeAuthenticationProvider". This is configured by defining the field grails.plugin.springsecurity.providerNames in file pegr/grails-app/conf/application.groovy.

Through the "daoAuthenticationProvider", users can login to PEGR using their registered username and password. The "preAuthenticatedAuthenticationProvider" is configured to work with the university’s Identity and Access Management system (Cosign single sign on with integration to Two-Factor Authentication) so that users can be authenticated through their university account without creating additional password with PEGR. The "anonymousAuthenticationProvider" denies access to the application from unauthorized users except for the login page; and the "rememberMeAuthenticationProvider" stores the login information in a cookie and allows for automatic login for an extended period.

PEGR implements Role Based Access Control and assigns a role group to each user. The role group defines the url level access to the application. For example, users who belong to the "Admin" role group can access all the url’s, including those for setting configuration, data curation, and user and role group management. On the other hand, users in the "Bioinformatician" or "Technician" role group have limited access, e.g. they are not allowed to access the system configuration part where the url follows the pattern "/admin/**". The role-based authorizations are define by the field grails.plugin.springsecurity.interceptUrlMap in file pegr/grails-app/conf/application.groovy.

In addition, more granular access controls are defined for each project and sample. For example, users can be added to a project with different roles, e.g. "owner", "participant" or "guest". While all users linked to the project can view the project summary and all the samples in the project, only the owners of the project have the ability to edit the information. This is implemented through interceptors, which apply certain logics across a group of controller actions. The inceptor files are located in folder pegr/grails-controllers/pegr/ and the filenames ended with "Interceptor". Here, the interceptors are executed before the related controller actions are invoked and check whether the user has the appropriate role in the project.