Ticket #946 (closed Enhancement: fixed)

Opened 5 years ago

Last modified 5 years ago

Fine granular request filter

Reported by: jri Owned by: jri
Priority: Major Milestone: Release 4.8
Component: DeepaMehta Standard Distribution Version: 4.7
Keywords: Cc: dgf, Malte, JuergeN
Complexity: 3 Area:
Module: deepamehta-accesscontrol

Description

Currently the request filter -- in terms of the dm4.security.[read|write]_requires_login settings -- is "all or nothing", that is true or false. The filter should be more granular on the basis of request URI prefixes.

Example:

dm4.security.allow_anonymous_read  = /eu.crowd-literature/, /crowd/
dm4.security.allow_anonymous_write = NONE

In this example the CROWD frontend (that is its REST API and its static resources) would be available for anonymous users while all the DM standard services (/core, /workspaces, ...) -- and thus the DM Webclient -- would not. (In this example the CROWD module is expected to depend solely on its own service and resources.)

The DM Standard Distro's default settings would look likes this:

dm4.security.allow_anonymous_read  = ALL
dm4.security.allow_anonymous_write = NONE

This ticket proposes the replacement of the dm4.security.[read|write]_requires_login settings by dm4.security.allow_anonymous_[read|write] settings.

Change History

comment:1 Changed 5 years ago by jri

  • Status changed from new to accepted

comment:2 Changed 5 years ago by Jörg Richter <jri@…>

In 39f19f118bd85279b08a4e6b9ce37585ff4353e5/deepamehta:

Fine granular request filter (#946).

The request filter for anonymous read/write requests is not "all or nothing" anymore but allows filtering by URI-prefixes.

BREAKING CHANGE (for administrators)

These config properties are obsolete:

dm4.security.read_requires_login
dm4.security.write_requires_login

These are replaced by:

dm4.security.anonymous_read_allowed
dm4.security.anonymous_write_allowed

ALL allows all anonymous read/write requests.
NONE allows no anonymous read/write requests.
To allow specific anonymous read/write requests set a comma-separated list of URI-prefixes.
Each prefix must begin with slash but have *no* slash at the end.
(To each prefix a slash is appended automatically.)

Example:

dm4.security.anonymous_read_allowed  = /eu.crowd-literature, /crowd
dm4.security.anonymous_write_allowed = NONE

The DM Standard Distro's default settings:

dm4.security.anonymous_read_allowed  = ALL
dm4.security.anonymous_write_allowed = NONE

IMPORTANT for the dev environment, where you set the config in pom.xml:
you can either write

<dm4.security.anonymous_read_allowed>/eu.crowd-literature, /crowd</dm4.security.anonymous_read_allowed>

or

<dm4.security.anonymous_read_allowed>
    /eu.crowd-literature,
    /crowd
</dm4.security.anonymous_read_allowed>

In the latter case no spaces are allowed between the list items, only line breaks and tab characters are.

This is due to a bug in Maven 3.0.4. It might be fixed in later Maven versions.

See #946.

comment:3 Changed 5 years ago by jri

  • Status changed from accepted to closed
  • Resolution set to fixed
Note: See TracTickets for help on using tickets.