Project

General

Profile

feature request #7972

explicitly allow disallow access to HTTP Invoker endpoints (/remoting/**)

Added by Andreas Kohlbecker 10 months ago. Updated 10 months ago.

Status:
Resolved
Priority:
Priority14
Category:
cdmlib-remote
Target version:
Start date:
01/09/2019
Due date:
% Done:

100%

Severity:
critical

Description

Users can always see any data in the Taxeditor, this can be problematic for projects in which private data must not be un-disclosed to arbitrary users.

The must straight forward approach is to use Spring Security to configure the MultiWebSecurityConfiguration#RemotingWebSecurityConfigurationAdapter accordingly.
This involves implementing one of the following rules:

  • All users can always access /remoting/** unless they have the role `ROLE_REMOTING_DENIED rejected
  • Users need to be assigned with the ROLE_REMOTING to access /remoting/** agreed

If the role is missing in the db it will be created and added to the Groups Editor and EditorExtendedCreate by the FirstDataInserter.
The role will however not be added to the editor groups in case the role exist but is missing from one of these groups. This allows removal of the role from the editor groups to withdraw the remote editing permission from editors in general for a project.


Related issues

Precedes Edit - feature request #7993: Display "Access Denied" dialog in case the remoting service responds with status code = 4xx Closed 01/10/2019

Associated revisions

Revision fa4763c1 (diff)
Added by Andreas Kohlbecker 10 months ago

ref #7972 FirstdataInserter adding ROLE_REMOTING to the editor groups

Revision 7f87310a (diff)
Added by Andreas Kohlbecker 10 months ago

fix #7972 restricing access to /remoting/** to role 'ROLE_ADMIN', 'ROLE_REMOTING'

Revision c1d9a788 (diff)
Added by Andreas Kohlbecker 10 months ago

ref #7972, ref #8042 permitting remoting access to ROLE_PROJECT_MANAGER

History

#1 Updated by Andreas Kohlbecker 10 months ago

  • Status changed from New to In Progress
  • % Done changed from 0 to 10

The edit team agreed that introducing the positive role ROLE_REMOTING would be be preferred solution.

The new Role would need to be added to all default Editor groups, which are Editor, EditorExtendedCreate (see eu.etaxonomy.cdm.model.common.Group and eu.etaxonomy.cdm.api.application.FirstDataInserter)

#2 Updated by Andreas Kohlbecker 10 months ago

  • Precedes feature request #7993: Display "Access Denied" dialog in case the remoting service responds with status code = 4xx added

#3 Updated by Andreas Kohlbecker 10 months ago

  • Status changed from In Progress to Resolved
  • % Done changed from 10 to 50

#4 Updated by Andreas Kohlbecker 10 months ago

  • Status changed from Resolved to Closed
  • % Done changed from 50 to 100

#5 Updated by Andreas Kohlbecker 10 months ago

  • Description updated (diff)

#6 Updated by Andreas Kohlbecker 10 months ago

  • Description updated (diff)

#7 Updated by Andreas Müller 10 months ago

  • Status changed from Closed to Resolved
  • Assignee changed from Andreas Kohlbecker to Andreas Müller

Just to remind me to have look how it is implemented.

#8 Updated by Andreas Müller 10 months ago

  • Priority changed from Highest to Priority14

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 40 MB)