Re: Realms REST endpoint authorization

Fri, 04 Jan 2019 02:01:24 -0800 

On 04/01/19 10:58, Ciusso Hb wrote:
Hi Francesco, good to know about the segregation of realms and the code seems pretty clear. 


But with version 2.1.3-SNAPSHOT I've created a "simple" user without 
any Entitlements and, via Swagger, called the realms endpoint, passing 
his credential.

The method returned a list with all the realms when I expected a 403.


Why? The method [1] is annotated as

@PreAuthorize("isAuthenticated()")

This means that any authenticated user is allowed to invoke the method.

Regards.


On Fri, Jan 4, 2019 at 9:42 AM Francesco Chicchiriccò 
<[email protected] <mailto:[email protected]>> wrote:


    On 04/01/19 09:27, Ciusso Hb wrote:
    > Hi all, I've noticed that the "/realms" REST endpoint need
    > authentication, but is callable without "REALM_LIST"
    entitlements, is
    > this by design?

    Hi,
    it is not exactly like this: since one admin can own REALM_LIST on a
    folded realm but not on its parent realms, the behavior will return
    restricted realms when non-admin, and full-fledged realms when admin.

    Such behavior is implemented by [1] and [2].

    > Furthermore, the list of realm returned start from the root (not
    only
    > from the realm of the user calling the method).
    >
    > The "/domains" REST endpoint seems to have a similiar behavior:
    return
    > 200 OK with an empty list, but in this case, I think is intentional
    > because the domain could be used to log in.

    Yep, correct.

    Regards.

    [1]
    
https://github.com/apache/syncope/blob/master/core/idrepo/logic/src/main/java/org/apache/syncope/core/logic/RealmLogic.java#L73-L86
    [2]
    
https://github.com/apache/syncope/blob/master/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/RealmDataBinderImpl.java#L219-L246


    -- 
    Francesco Chicchiriccò


    Tirasa - Open Source Excellence
    http://www.tirasa.net/

    Member at The Apache Software Foundation
    Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
    http://home.apache.org/~ilgrosso/



--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/























					Reply via email to