[GeoNetwork-devel] Spring Security Considerations

Hi,

I am working on using spring security for Geonetwork. As start the work and planning I realize that I have a choice on how much to use spring security.

Right now the user-profiles configuration file is used to control what profiles exist and what profiles can access which services. There is not a lot of options available to the developer. A few features spring security has that cannot be done with user-profiles are:

  • Restrict access to a service based on parameters
  • Require https access to service
  • Restrict requests to services to be post only
  • Control access to resources
    So I have a choice:
  1. Only use spring-security for authentication and leave everything else alone
  2. Move security control from user-profiles to spring-security.
    I personally like option 2 because of the extra functionality we would gain. But this is a breaking change and I require community input before making such a change.

Jesse

I should mention that option 2 also make the implementation much simpler.

Jesse

On Wed, Jul 4, 2012 at 12:46 PM, Jesse Eichar <jesse.eichar@anonymised.com> wrote:

Hi,

I am working on using spring security for Geonetwork. As start the work and planning I realize that I have a choice on how much to use spring security.

Right now the user-profiles configuration file is used to control what profiles exist and what profiles can access which services. There is not a lot of options available to the developer. A few features spring security has that cannot be done with user-profiles are:

  • Restrict access to a service based on parameters
  • Require https access to service
  • Restrict requests to services to be post only
  • Control access to resources
    So I have a choice:
  1. Only use spring-security for authentication and leave everything else alone
  2. Move security control from user-profiles to spring-security.
    I personally like option 2 because of the extra functionality we would gain. But this is a breaking change and I require community input before making such a change.

Jesse

Hi Jesse

Sorry for hijacking the discussion, I am not a geonetwork developer (except my minor contribution for the DB2 database).

But I am a geoserver developer and my last work was a redesign of the security module for the upcoming 2.2.x releases.

I really can recommend using Spring Security where it is possible. One of the major geoserver improvements is to make authentication modules plugable. Geoserver supports basic auth, digest auth, form based authentication, cas, proxy authentication, j2ee authentication, ldap, jdbc,...

Would be nice to authenticate to geonetwork without need to reauthenticate to geoserver.

If you have some special questions about spring security, let me know.

Christian

Zitat von Jesse Eichar <jesse.eichar@anonymised.com>:

I should mention that option 2 also make the implementation much simpler.

Jesse

On Wed, Jul 4, 2012 at 12:46 PM, Jesse Eichar
<jesse.eichar@anonymised.com>wrote:

Hi,

I am working on using spring security for Geonetwork. As start the work
and planning I realize that I have a choice on how much to use spring
security.

Right now the user-profiles configuration file is used to control what
profiles exist and what profiles can access which services. There is not a
lot of options available to the developer. A few features spring security
has that cannot be done with user-profiles are:

   - Restrict access to a service based on parameters
   - Require https access to service
   - Restrict requests to services to be post only
   - Control access to resources

So I have a choice:

   1. Only use spring-security for authentication and leave everything
   else alone
   2. Move security control from user-profiles to spring-security.

I personally like option 2 because of the extra functionality we would
gain. But this is a breaking change and I require community input before
making such a change.

Jesse

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Hi Jesse,

I'm not a spring security expert but +1 for me for such a move.

2012/7/4 <christian.mueller@anonymised.com>:

Hi Jesse

Sorry for hijacking the discussion, I am not a geonetwork developer
(except my minor contribution for the DB2 database).

Thanks Christian for your inputs !

But I am a geoserver developer and my last work was a redesign of the
security module for the upcoming 2.2.x releases.

I really can recommend using Spring Security where it is possible. One
of the major geoserver improvements is to make authentication modules
plugable. Geoserver supports basic auth, digest auth, form based
authentication, cas, proxy authentication, j2ee authentication, ldap,
jdbc,...

Would be nice to authenticate to geonetwork without need to
reauthenticate to geoserver.

Yep, that would be great.

If you have some special questions about spring security, let me know.

Christian

Zitat von Jesse Eichar <jesse.eichar@anonymised.com>:

I should mention that option 2 also make the implementation much simpler.

Jesse

On Wed, Jul 4, 2012 at 12:46 PM, Jesse Eichar
<jesse.eichar@anonymised.com>wrote:

Hi,

I am working on using spring security for Geonetwork. As start the work
and planning I realize that I have a choice on how much to use spring
security.

Right now the user-profiles configuration file is used to control what
profiles exist and what profiles can access which services. There is not a
lot of options available to the developer. A few features spring security
has that cannot be done with user-profiles are:

   - Restrict access to a service based on parameters
   - Require https access to service
   - Restrict requests to services to be post only
   - Control access to resources

So I have a choice:

   1. Only use spring-security for authentication and leave everything
   else alone
   2. Move security control from user-profiles to spring-security.

I personally like option 2 because of the extra functionality we would
gain. But this is a breaking change and I require community input before
making such a change.

Could this be a 2 step approach, do option 1 and then 2 ?
or the work made in option 1 will not be similar to what is needed for
option 2 ?

Option 2 looks to me quite a lot of work but you've certainly a better
view on the changes required.
Option 2 will replace Jeeves service loading or only the privileges to
access to Jeeves services ?

Cheers.

Francois

Jesse

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
GeoNetwork-devel mailing list
GeoNetwork-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork

Option 2 will only remove the access tags in the user-profiles and will remove that one little section in the ServiceManager that checks to see if the user has access. I have to do everything else in Option 1 anyhow so really it is not a lot of extra work.

If I find out something I missed I will revisit this issue on the list.

Jesse

On Wed, Jul 4, 2012 at 10:07 PM, Francois Prunayre <fx.prunayre@anonymised.com…> wrote:

Hi Jesse,

I’m not a spring security expert but +1 for me for such a move.

2012/7/4 <christian.mueller@anonymised.com>:

Hi Jesse

Sorry for hijacking the discussion, I am not a geonetwork developer
(except my minor contribution for the DB2 database).

Thanks Christian for your inputs !

But I am a geoserver developer and my last work was a redesign of the
security module for the upcoming 2.2.x releases.

I really can recommend using Spring Security where it is possible. One
of the major geoserver improvements is to make authentication modules
plugable. Geoserver supports basic auth, digest auth, form based
authentication, cas, proxy authentication, j2ee authentication, ldap,
jdbc,…

Would be nice to authenticate to geonetwork without need to
reauthenticate to geoserver.

Yep, that would be great.

If you have some special questions about spring security, let me know.

Christian

Zitat von Jesse Eichar <jesse.eichar@anonymised.com>:

I should mention that option 2 also make the implementation much simpler.

Jesse

On Wed, Jul 4, 2012 at 12:46 PM, Jesse Eichar
<jesse.eichar@anonymised.com…>wrote:

Hi,

I am working on using spring security for Geonetwork. As start the work
and planning I realize that I have a choice on how much to use spring
security.

Right now the user-profiles configuration file is used to control what
profiles exist and what profiles can access which services. There is not a
lot of options available to the developer. A few features spring security
has that cannot be done with user-profiles are:

  • Restrict access to a service based on parameters
  • Require https access to service
  • Restrict requests to services to be post only
  • Control access to resources

So I have a choice:

  1. Only use spring-security for authentication and leave everything
    else alone
  2. Move security control from user-profiles to spring-security.

I personally like option 2 because of the extra functionality we would
gain. But this is a breaking change and I require community input before
making such a change.

Could this be a 2 step approach, do option 1 and then 2 ?
or the work made in option 1 will not be similar to what is needed for
option 2 ?

Option 2 looks to me quite a lot of work but you’ve certainly a better
view on the changes required.
Option 2 will replace Jeeves service loading or only the privileges to
access to Jeeves services ?

Cheers.

Francois

Jesse


This message was sent using IMP, the Internet Messaging Program.


Live Security Virtual Conference
Exclusive live event will cover all the ways today’s security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/


GeoNetwork-devel mailing list
GeoNetwork-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork