[Geoserver-devel] [jira] (GEOS-5139) REST security configuration improvement

ftringali created ImprovementGEOS-5139
REST security configuration improvement

Issue Type:

ImprovementImprovement

Affects Versions:

2.2-beta2

Assignee:

Andrea Aime

Attachments:

changes_REST_security.diff, LinkedProperties.java

Components:

REST, Security

Created:

31/May/12 10:10 AM

Description:

As per request …

==============On Thu, May 31, 2012 at 3:07 PM, ftringali wrote:
Hi everybody,

I spent a day trying to setup REST security configuration (rest.properties)
in a way that allows free access of a ROLE_X to workspace “abc” locking down
others.

Imho, securing the service by Ant patterns without an “ordered” list of
rules is too difficult.

I didn’t find a way to satisfy my requirement in such a situation, so I did
some little changes to trunk code (I’ll send diff and .java files if
necessary): TreeSet -LinkedHashSet and so on.

Now, via rest.properties I could take advantage of all capabilities of
Spring Security…

/rest;GET=ROLE_ADMINISTRATOR,ROLE_X
/rest/workspaces*;GET=ROLE_ADMINISTRATOR,ROLE_X
/rest/workspaces/abc*;GET,POST,PUT,DELETE=ROLE_ADMINISTRATOR,ROLE_X
/rest/workspaces/abc/;GET,POST,PUT,DELETE=ROLE_ADMINISTRATOR,ROLE_X
/
;GET,POST,DELETE,PUT=ROLE_ADMINISTRATOR

Before, rules were returned by “natural ordering” and the last (/**) was
always read as first matching rule, allowing only rules like the following
(note that GET method is not in the last line)

/rest/workspaces/topp*;GET=ROLE_ADMINISTRATOR
/rest/workspaces/topp/;GET=ROLE_ADMINISTRATOR
/
;POST,DELETE,PUT=ROLE_ADMINISTRATOR

Please let me know your opinions

==============On 2012/5/31 Andrea Aime wrote:
The approach suggested seems to work.

In general I don’t like rule systems that work based on rule order
(a-la iptables)
when it’s also possible to apply a specificify approach, which does not require ordering instead: it’s the CSS approach, where the most specific rule applies regardless of the order.

That said, don’t know if it’s possible to bend spring to use a CSS-like approach, and how effort it would be.

It would be nice if you could provide a patch and attach it to a ticket in jira.

Project:

GeoServer

Labels:

rest security configuration

Priority:

MajorMajor

Reporter:

ftringali

This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your [JIRA administrators](https://jira.codehaus.org/secure/ContactAdministrators!default.jspa). For more information on JIRA, see: [http://www.atlassian.com/software/jira](http://www.atlassian.com/software/jira)