Class Diagram for Web Application Authentication and Authorization

This class diagram models the core components of user authentication and authorization in a web application, emphasizing secure identity management and role-based access control (RBAC).

Core Classes & Attributes

1. User
   • Attributes: UserID (PK), Username, Email, HashedPassword, IsActive, LastLoginDate.
   • Methods: authenticate(String password), changePassword().
   • Role: Represents individual users with unique credentials.
2. Role
   • Attributes: RoleID (PK), RoleName (e.g., "Admin", "Editor", "Guest"), Description.
   • Associations:
     • Many-to-Many with User: A user can have multiple roles (e.g., "Admin" + "Editor"), and a role can be assigned to multiple users.
3. Permission
   • Attributes: PermissionID (PK), PermissionName (e.g., "CreatePost", "DeleteUser"), Resource (e.g., "Article", "User").
   • Associations:
     • Many-to-Many with Role: A role (e.g., "Admin") inherits multiple permissions, and a permission can be granted to multiple roles.
4. AuthenticationService
   • Methods: login(String username, String password), logout(), generateJWT(User).
   • Role: Manages session creation, JWT token generation, and integration with external auth providers (e.g., OAuth).
5. AuthorizationFilter
   • Methods: validateToken(String jwt), checkPermission(String requiredPermission).
   • Role: Acts as a middleware to intercept requests, validate JWT tokens, and enforce permission checks before granting access to resources.
6. OAuthProvider
   • Subclasses: GoogleOAuth, FacebookOAuth.
   • Methods: redirectToLogin(), fetchUserProfile(String authCode).
   • Role: Implements third-party authentication flows, extending AuthenticationService.

Key Relationships

1. User ↔ Role: Many-to-Many via UserRole Association
   • Intermediate class UserRole records role assignments (e.g., UserID=1 assigned RoleID=2 on Date=2024-01-01).
2. Role ↔ Permission: Many-to-Many via RolePermission Association
   • Intermediate class RolePermission defines permissions for each role (e.g., RoleID=2 (Editor) granted PermissionID=5 (EditArticle)).
3. AuthenticationService ↔ OAuthProvider: Inheritance
   • Concrete OAuth classes inherit from OAuthProvider, reusing common methods like redirectToLogin().
4. AuthorizationFilter ↔ User: Dependency
   • AuthorizationFilter accesses User and Role data to validate permissions (e.g., checking if a user’s role includes "DeleteUser" permission).

Workflows & Business Logic

1. Authentication Flow:
   • User submits credentials via LoginController, triggering AuthenticationService.login().
   • If credentials are valid, AuthenticationService generates a JWT token containing user roles/permissions and returns it to the client.
2. Authorization Flow:
   • Client includes the JWT token in subsequent requests.
   • AuthorizationFilter intercepts requests, decodes the token, and uses RolePermission mappings to check if the user has permission to access the requested resource (e.g., /api/users/delete requires "DeleteUser" permission).
3. Role-Based Access Control (RBAC):
   • Admins assign roles to users via the UserRole interface, and roles are mapped to permissions via RolePermission.
   • Example: A "Guest" role may have only "ReadArticle" permission, while an "Admin" role has "CreateUser", "DeleteUser", and "ManageRoles".
4. Third-Party Authentication:
   • Users can log in via GoogleOAuth, which calls fetchUserProfile() to retrieve email/roles from Google, creating or updating a User record in the system.

Design Principles

• Security:
  • Passwords are stored as hashes (never plaintext) in the User class.
  • JWT tokens are short-lived and include refresh tokens for secure session management.
• Scalability:
  • Separate Role and Permission classes allow granular permission updates without modifying user records.
  • OAuthProvider can be extended to support new auth providers (e.g., GitHub, Twitter).
• Single Responsibility:
  • AuthenticationService handles login/logout, AuthorizationFilter manages access control, and User focuses on profile data.