Project

General

Profile

Actions

feature request #7972

open

explicitly allow disallow access to HTTP Invoker endpoints (/remoting/**)

Added by Andreas Kohlbecker over 5 years ago. Updated over 5 years ago.

Status:
Resolved
Priority:
Priority14
Category:
cdmlib-remote
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Severity:
critical

Description

Users can always see any data in the Taxeditor, this can be problematic for projects in which private data must not be un-disclosed to arbitrary users.

The must straight forward approach is to use Spring Security to configure the MultiWebSecurityConfiguration#RemotingWebSecurityConfigurationAdapter accordingly.
This involves implementing one of the following rules:

  • All users can always access /remoting/** unless they have the role `ROLE_REMOTING_DENIED rejected
  • Users need to be assigned with the ROLE_REMOTING to access /remoting/** agreed

If the role is missing in the db it will be created and added to the Groups Editor and EditorExtendedCreate by the FirstDataInserter.
The role will however not be added to the editor groups in case the role exist but is missing from one of these groups. This allows removal of the role from the editor groups to withdraw the remote editing permission from editors in general for a project.


Related issues

Precedes EDIT - feature request #7993: Display "Access Denied" dialog in case the remoting service responds with status code = 4xxClosedKatja Luther

Actions
Actions #1

Updated by Andreas Kohlbecker over 5 years ago

  • Status changed from New to In Progress
  • % Done changed from 0 to 10

The edit team agreed that introducing the positive role ROLE_REMOTING would be be preferred solution.

The new Role would need to be added to all default Editor groups, which are Editor, EditorExtendedCreate (see eu.etaxonomy.cdm.model.common.Group and eu.etaxonomy.cdm.api.application.FirstDataInserter)

Actions #2

Updated by Andreas Kohlbecker over 5 years ago

  • Precedes feature request #7993: Display "Access Denied" dialog in case the remoting service responds with status code = 4xx added
Actions #3

Updated by Andreas Kohlbecker over 5 years ago

  • Status changed from In Progress to Resolved
  • % Done changed from 10 to 50
Actions #4

Updated by Andreas Kohlbecker over 5 years ago

  • Status changed from Resolved to Closed
  • % Done changed from 50 to 100
Actions #5

Updated by Andreas Kohlbecker over 5 years ago

  • Description updated (diff)
Actions #6

Updated by Andreas Kohlbecker over 5 years ago

  • Description updated (diff)
Actions #7

Updated by Andreas Müller over 5 years ago

  • Status changed from Closed to Resolved
  • Assignee changed from Andreas Kohlbecker to Andreas Müller

Just to remind me to have look how it is implemented.

Actions #8

Updated by Andreas Müller over 5 years ago

  • Priority changed from Highest to Priority14
Actions

Also available in: Atom PDF