Content Encryption

[fsscloud]

Am new to Spring Content.

Is there a way to encrypt the File Content that is stored on the File System?

How to achieve content encryption?

[paulcwarren]

Hi @fsscloud ,

I assume you mean encryption of the content at rest?

If you are using S3 storage then you should be able to configure your bucket to encrypt the content when stored.

If you are using another of our Storage modules and if you are using the ContentStore then yes it is possible to plug in an encoder/decoder. Spring Content has an event handling mechanism so you could register a couple of event handlers to do the encoding/unencoding, as follows:

	@Configuration
	public static class Config {

            @Bean
            public ContentRestConfigurer configurer() {
                return new ContentRestConfigurer() {
                    @Override
                    public void configure(RestConfiguration config) {
                       // tell Spring Content REST
                       config.forDomainType(YourDomainClass.class).putAndPostPreferResource();
                    }
                };
            }

            @Bean
            public MyStoreEventHandler eventHandlers() {
                return new MyStoreEventHandler();
            }
	}

	@StoreEventHandler
	public static class MyStoreEventHandler extends AbstractStoreEventListener {

	    @Override
	    public void onBeforeSetContent(BeforeSetContentEvent event) {
                // replace encode the contents 
                File f event.getResource().getFile();
                FileWriter fw = new FileWriter(f, false);
                fw.write(encode(f));
                ...
	    }

            @Override
            public void onAfterGetContent(AfterGetContentEvent event) {

               // replace the result with the decode content
               event.setResult(decode(event.getResult()));
            }
	}

If you are also using one of the Spring Content storage modules directly then you should call setContent(entity, resource). If you are using Spring Content REST endpoints then you will need to prefer the setContent(entity, resource) method (as shown above).

If you are using Store then let me know we can probably figure that one out too.

[fsscloud]

We were using the File Content Store. The ultimate aim is to use an object store like ECS or S3 but for now it is a SAN location. And yes its encryption at rest. I will try what you are suggesting and get back to you.

I was very impressed by your Youtube video on how to simplify the ECM application usage. It was the exact solution that I was looking for. How actively are you developing Spring Content?

Another question was regarding ACL's. Is there a way to integrate Spring ACL with Spring Content?

Or if there is a way to provide access to content based on a Role as defined in a Keyclock like application.

[paulcwarren]

Thanks for your kind words.

I am actively developing Spring Content and my goal is to make it an official Spring project rather than a community project as it is today but in order to do that we need to grow the community around the project.

Spring Content has the same philosophy as regular Spring projects. They are independent but can be used together. To that end our goal is to support both Spring Security and Spring Security ACL allowing consumers to provide newer style role-based security and more traditional access control lists, whichever works best for them.

I'd be happy to work with you to get a sample of either or both up and running as I would then re-purpose those samples as guides in our docs.

[fsscloud]

Hi Paul,
Thank you for extending the help.

We are trying the Spring ACL integration this week. Will keep you posted how it goes. If there is any documentation or help you can provide it will be always appreciated.

When you say new RBAC; how can we do RBAC on documents without ACL's?

[paulcwarren]

Re ACL. I don't have any docs resources at the moment so, instead, I am happy to answer questions/debug issues to try and get you up and running with Spring Content/ACL integration. Initially, we could collaborate via a github project maybe? That way if you encounter any issues there is a sample project for me to debug.

Re RBAC. I just mean that for simpler and more static security use cases you can secure your Spring Data REST/Content REST endpoints or your repository/store methods by role by configuring HttpSecurity or @EnableGlobalMethodSecurity respectively. But it sounds like you have a more dynamic use case that need to be satisfied with an ACL-based solution.

[fsscloud]

ill create a github sample project and share it with you. am just getting my team up and ready with both Spring Content & ACL.

And sorry I am probably still old school; have been in the Documentum world for a long long time... so thinking of RBAC without ACL's still does not fit in with my though process yet. Though Roles based ACL's has always been the way to go...

[paulcwarren]

@fsscloud, how are we getting on with this? Did you have time to start investigating this?

[fsscloud]

hi paul. the team was distracted due to some urgent client work. this being their 30% side work. I will keep you updated. please can you share your email id?

[paulcwarren]

It the one available on my public profile - at least I think it is public? warrenpa@vmware.com

[paulcwarren]

Hey @fsscloud ,

Is there any more to do on this issue. Or did we satisfy the requirement in the end?

Thanks
Paul

[paulcwarren]

Closing due to inactivity. Please feel free to open if there is more to do here. Thanks