Project

General

Profile

Actions

feature request #7972

open

explicitly allow disallow access to HTTP Invoker endpoints (/remoting/**)

Added by Andreas Kohlbecker about 5 years ago. Updated about 5 years ago.

Status:
Resolved
Priority:
Priority14
Category:
cdmlib-remote
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Severity:
critical

Description

Users can always see any data in the Taxeditor, this can be problematic for projects in which private data must not be un-disclosed to arbitrary users.

The must straight forward approach is to use Spring Security to configure the MultiWebSecurityConfiguration#RemotingWebSecurityConfigurationAdapter accordingly.
This involves implementing one of the following rules:

  • All users can always access /remoting/** unless they have the role `ROLE_REMOTING_DENIED rejected
  • Users need to be assigned with the ROLE_REMOTING to access /remoting/** agreed

If the role is missing in the db it will be created and added to the Groups Editor and EditorExtendedCreate by the FirstDataInserter.
The role will however not be added to the editor groups in case the role exist but is missing from one of these groups. This allows removal of the role from the editor groups to withdraw the remote editing permission from editors in general for a project.


Related issues

Precedes EDIT - feature request #7993: Display "Access Denied" dialog in case the remoting service responds with status code = 4xxClosedKatja Luther

Actions
Actions

Also available in: Atom PDF