Hello,
I have configured my jaas.conf to use LDAP for authentication. On the surface
everything appears to work fine, incorrect username/password combinations
result in 401 responses, valid credentials provide access. BUT, a valid
username with a blank password also provides access, which is bad.
I'm testing 3.6.1. For sanity's sake I tested this on a fresh install of 3.5
with authN and authZ enabled, and reached the same result.
I'm using the standard xacml-2.0 policies plus one basic one granting api-a to
a specific IP range. It is included below.
Here's my jaas.conf
fedora-auth
{
org.fcrepo.server.security.jaas.auth.module.LdapModule sufficient
host.url="ldap://XXX.XXX.XXX:XXX/";
auth.type="simple"
bind.mode="bind"
bind.filter="uid={0},ou=People,o=XXX.XXX"
attrs.fetch="ou,falvey"
debug=true;
org.fcrepo.server.security.jaas.auth.module.XmlUsersFileModule sufficient
debug=true;
};
My API-A Policy:
<Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-policy-schema-os.xsd
urn:oasis:names:tc:xacml:2.0:context:schema:os
http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-context-schema-os.xsd";
PolicyId="permit-apia-to-localhost"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
>
<Description>A Policy that grants read access to
localhost</Description>
<Target>
<Actions>
<!-- Generic Read -->
<Action>
<ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>read</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:action:id"
DataType="http://www.w3.org/2001/XMLSchema#string";></ActionAttributeDesignator>
</ActionMatch>
</Action>
</Actions>
</Target>
<Rule Effect="Permit"
RuleId="au:edu:mq:melcoe:ramp:fedora:xacml:2.0:rule:generic-permit">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
<!-- Permit this 'Bag' -->
<Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<EnvironmentAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:environment:httpRequest:clientIpAddress"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
<Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>127.0.0.1</AttributeValue>
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>::1</AttributeValue>
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>0:0:0:0:0:0:0:1</AttributeValue>
</Apply>
</Apply>
<!-- OR Permit this subnet string -->
<Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>XXX\.XXX\.\d{1,3}\.\d{1,3}</AttributeValue>
<!-- Villanova Subnet -->
<Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<EnvironmentAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:environment:httpRequest:clientIpAddress"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</Apply>
</Condition>
</Rule>
</Policy>
Thanks for your time.
David Lacy
Falvey Library Technology Services
Villanova University
library.villanova.edu
------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Fedora-commons-users mailing list
Fedora-commons-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
