Re: Realms REST endpoint authorization

Fri, 04 Jan 2019 02:42:37 -0800 

On 04/01/19 11:37, Ciusso Hb wrote:

Ok, simple like that...
Sorry, I was misled by this line "AuthContextUtils.getAuthorizations().keySet().contains(StandardEntitlement.REALM_LIST);". With a rapid check, I thought that was used to check if a user could get the list of realms, but is used to get full data of realms. 


So authenticated user can get all realms list with basic data, and 
administrators (or users having REALM_LIST entitlement) could get 
realms list with all associated data (Account and Password policies, 
Actions, Templates and Resources).

Correct?


Correct.

Regards.


On Fri, Jan 4, 2019 at 11:01 AM Francesco Chicchiriccò 
<[email protected] <mailto:[email protected]>> wrote:


    On 04/01/19 10:58, Ciusso Hb wrote:

    Hi Francesco, good to know about the segregation of realms and
    the code seems pretty clear.

    But with version 2.1.3-SNAPSHOT I've created a "simple" user
    without any Entitlements and, via Swagger, called the realms
    endpoint, passing his credential.
    The method returned a list with all the realms when I expected a 403.


    Why? The method [1] is annotated as

    @PreAuthorize("isAuthenticated()")

    This means that any authenticated user is allowed to invoke the
    method.

    Regards.


    On Fri, Jan 4, 2019 at 9:42 AM Francesco Chicchiriccò
    <[email protected] <mailto:[email protected]>> wrote:

        On 04/01/19 09:27, Ciusso Hb wrote:
        > Hi all, I've noticed that the "/realms" REST endpoint need
        > authentication, but is callable without "REALM_LIST"
        entitlements, is
        > this by design?

        Hi,
        it is not exactly like this: since one admin can own
        REALM_LIST on a
        folded realm but not on its parent realms, the behavior will
        return
        restricted realms when non-admin, and full-fledged realms
        when admin.

        Such behavior is implemented by [1] and [2].

        > Furthermore, the list of realm returned start from the root
        (not only
        > from the realm of the user calling the method).
        >
        > The "/domains" REST endpoint seems to have a similiar
        behavior: return
        > 200 OK with an empty list, but in this case, I think is
        intentional
        > because the domain could be used to log in.

        Yep, correct.

        Regards.

        [1]
        
https://github.com/apache/syncope/blob/master/core/idrepo/logic/src/main/java/org/apache/syncope/core/logic/RealmLogic.java#L73-L86
        [2]
        
https://github.com/apache/syncope/blob/master/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/RealmDataBinderImpl.java#L219-L246


--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/























					Reply via email to