feature request #7972
explicitly allow disallow access to HTTP Invoker endpoints (/remoting/**)
Users can always see any data in the Taxeditor, this can be problematic for projects in which private data must not be un-disclosed to arbitrary users.
The must straight forward approach is to use Spring Security to configure the
This involves implementing one of the following rules:
All users can always accessrejected
/remoting/**unless they have the role `ROLE_REMOTING_DENIED
- Users need to be assigned with the
If the role is missing in the db it will be created and added to the Groups
EditorExtendedCreate by the
The role will however not be added to the editor groups in case the role exist but is missing from one of these groups. This allows removal of the role from the editor groups to withdraw the remote editing permission from editors in general for a project.
fix #7972 restricing access to /remoting/** to role 'ROLE_ADMIN', 'ROLE_REMOTING'
#1 Updated by Andreas Kohlbecker over 1 year ago
- Status changed from New to In Progress
- % Done changed from 0 to 10
The edit team agreed that introducing the positive role
ROLE_REMOTING would be be preferred solution.
The new Role would need to be added to all default Editor groups, which are