There is actually already an existing patch that does I think something
similar to what is being suggested here:
http://jira.codehaus.org/browse/GEOS-3791
Its been sitting there for a while. I am thinking with the security changes
in 2.2 it would be a good time to push this in.
On Thu, May 31, 2012 at 8:37 AM, Andrea Aime
<[email protected]>wrote:
> On Thu, May 31, 2012 at 3:07 PM, Fabrizio Tringali <[email protected]>
> wrote:
> > Hi everybody,
> >
> > I spent a day trying to setup REST security configuration
> (rest.properties)
> > in a way that allows free access of a ROLE_X to workspace "abc" locking
> down
> > others.
> >
> > Imho, securing the service by Ant patterns without an "ordered" list of
> > rules is too difficult.
> >
> > I didn't find a way to satisfy my requirement in such a situation, so I
> did
> > some little changes to trunk code (I'll send diff and .java files if
> > necessary): TreeSet -> LinkedHashSet and so on.
> >
> > Now, via rest.properties I could take advantage of all capabilities of
> > Spring Security....
> >
> > /rest;GET=ROLE_ADMINISTRATOR,ROLE_X
> > /rest/workspaces*;GET=ROLE_ADMINISTRATOR,ROLE_X
> > /rest/workspaces/abc*;GET,POST,PUT,DELETE=ROLE_ADMINISTRATOR,ROLE_X
> > /rest/workspaces/abc/**;GET,POST,PUT,DELETE=ROLE_ADMINISTRATOR,ROLE_X
> > /**;GET,POST,DELETE,PUT=ROLE_ADMINISTRATOR
> >
> > Before, rules were returned by "natural ordering" and the last (/**) was
> > always read as first matching rule, allowing only rules like the
> following
> > (note that GET method is not in the last line)
> >
> > /rest/workspaces/topp*;GET=ROLE_ADMINISTRATOR
> > /rest/workspaces/topp/**;GET=ROLE_ADMINISTRATOR
> > /**;POST,DELETE,PUT=ROLE_ADMINISTRATOR
> >
> >
> > Please let me know your opinions
>
> The approach suggested seems to work.
>
> In general I don't like rule systems that work based on rule order
> (a-la iptables)
> when it's also possible to apply a specificify approach, which does not
> require
> ordering instead: it's the CSS approach, where the most specific rule
> applies
> regardless of the order.
>
> That said, don't know if it's possible to bend spring to use a
> CSS-like approach,
> and how effort it would be.
>
> It would be nice if you could provide a patch and attach it to a ticket in
> jira.
>
> Cheers
> Andrea
>
>
>
> --
> Ing. Andrea Aime
> GeoSolutions S.A.S.
> Tech lead
>
> Via Poggio alle Viti 1187
> 55054 Massarosa (LU)
> Italy
>
> phone: +39 0584 962313
> fax: +39 0584 962313
> mob: +39 339 8844549
>
> http://www.geo-solutions.it
> http://geo-solutions.blogspot.com/
> http://www.youtube.com/user/GeoSolutionsIT
> http://www.linkedin.com/in/andreaaime
> http://twitter.com/geowolf
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Geoserver-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/geoserver-users
>
--
Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Geoserver-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-users
