Hello, I would like to implement a custom security, first of all let me explain to get your opinion if this has any sense. I have a server (compiled from run-server) instance accessible from public network, the rest of the components (obr and client) are only accessible from the local network.
I had set up single-way SSL in the server (mainly because of the targets will not have a fixed IP nor hostname) Now I think is the time to add some authentication; I have been reading the documentation and monitoring HTTP communication of the server. #agent updating POST /auditlog/send HTTP/1.1 GET /auditlog/query?tid=target-1&logid=1469475605103 HTTP/1.1 GET /agent/target-1/org.apache.ace.agent/versions/ HTTP/1.1 GET /deployment/target-1/versions/ HTTP/1.1 GET /repository/query?customer=apache&name=deployment HTTP/1.1 GET /deployment/target-1/versions/6.0.0 HTTP/1.1 #client viewing GET /auditlog/query HTTP/1.1 GET /repository/query?customer=apache&name=user HTTP/1.1 * GET /repository/checkout?customer=apache&name=user&version=1 HTTP/1.1 GET /repository/query?customer=apache&name=shop HTTP/1.1 GET /repository/checkout?customer=apache&name=shop&version=1 HTTP/1.1 GET /repository/checkout?customer=apache&name=target&version=7 HTTP/1.1 GET /repository/checkout?customer=apache&name=deployment&version=7 HTTP/1.1 #client updating repository POST /repository/commit?customer=apache&name=shop&version=1 HTTP/1.1 POST /repository/commit?customer=apache&name=target&version=7 HTTP/1.1 POST /repository/commit?customer=apache&name=deployment&version=7 HTTP/1.1 POST /repository/commit?customer=apache&name=shop&version=2 HTTP/1.1 POST /repository/commit?customer=apache&name=target&version=8 HTTP/1.1 POST /repository/commit?customer=apache&name=deployment&version=8 HTTP/1.1 Seems that I could secure (add authentication) the POST actions on /repository/commit and leave the other GET open to everybody. With this I do not need to manage passwords for the agents; In my case all the agents will get the same bundles. For the current implementation, I was checking org.apache.ace.authentication and org.apache.ace.authentication.processor.basicauth, so I could implement a processor for requests with method POST use the basicauth and requests with GET no check is needed. For GETs I could simply return predefined User with the minimum operations: <memberof>viewArtifact</memberof> <memberof>viewFeature</memberof> <memberof>viewDistribution</memberof> <memberof>viewTarget</memberof> Does it sound reasonable? Are these the steps to follow? - edit run-server/conf/org.apache.ace.connectionfactory/repository.cfg to enable authentication (not sure about that??, in the documentation mention o.a.a.repository.servlet, but the source code there is not such file, only exists run-server/conf/org.apache.ace.http.context.cfg) - edit run-server/conf/org.apache.ace.server.repository.factory/ace-user.cfg to customize the users - implement the processor - configure the new processor (no idea how to do it) - in the run-client/conf/org.apache.ace.connectionfactory/repository.cfg to set the authentication and credentials Many thanks!! ____________________________________ Jorge Martin Cuervo email <[email protected]> voice 0032 489 336 802 voice 0034 660 026 384 skype jorgemartincuervo ____________________________________
