feature request #7972
openexplicitly allow disallow access to HTTP Invoker endpoints (/remoting/**)
100%
Description
Users can always see any data in the Taxeditor, this can be problematic for projects in which private data must not be un-disclosed to arbitrary users.
The must straight forward approach is to use Spring Security to configure the MultiWebSecurityConfiguration#RemotingWebSecurityConfigurationAdapter
accordingly.
This involves implementing one of the following rules:
All users can always accessrejected/remoting/**
unless they have the role `ROLE_REMOTING_DENIED- Users need to be assigned with the
ROLE_REMOTING
to access/remoting/**
agreed
If the role is missing in the db it will be created and added to the Groups Editor
and EditorExtendedCreate
by the FirstDataInserter
.
The role will however not be added to the editor groups in case the role exist but is missing from one of these groups. This allows removal of the role from the editor groups to withdraw the remote editing permission from editors in general for a project.
Related issues
Updated by Andreas Kohlbecker over 5 years ago
- Status changed from New to In Progress
- % Done changed from 0 to 10
The edit team agreed that introducing the positive role ROLE_REMOTING
would be be preferred solution.
The new Role would need to be added to all default Editor groups, which are Editor
, EditorExtendedCreate
(see eu.etaxonomy.cdm.model.common.Group
and eu.etaxonomy.cdm.api.application.FirstDataInserter
)
Updated by Andreas Kohlbecker over 5 years ago
- Precedes feature request #7993: Display "Access Denied" dialog in case the remoting service responds with status code = 4xx added
Updated by Andreas Kohlbecker over 5 years ago
- Status changed from In Progress to Resolved
- % Done changed from 10 to 50
Applied in changeset cdmlib|7f87310a8313162080add7230915ed67c0316615.
Updated by Andreas Kohlbecker over 5 years ago
- Status changed from Resolved to Closed
- % Done changed from 50 to 100
Updated by Andreas Müller over 5 years ago
- Status changed from Closed to Resolved
- Assignee changed from Andreas Kohlbecker to Andreas Müller
Just to remind me to have look how it is implemented.
Updated by Andreas Müller over 5 years ago
- Priority changed from Highest to Priority14