Hi everybody,
I spent a day trying to setup REST security configuration (rest.properties)
in a way that allows free access of a ROLE_X to workspace "abc" locking
down others.
Imho, securing the service by Ant patterns without an "ordered" list of
rules is too difficult.
I didn't find a way to satisfy my requirement in such a situation, so I did
some little changes to trunk code (I'll send diff and .java files if
necessary): TreeSet -> LinkedHashSet and so on.
Now, via rest.properties I could take advantage of all capabilities of
Spring Security....
/rest;GET=ROLE_ADMINISTRATOR,ROLE_X
/rest/workspaces*;GET=ROLE_ADMINISTRATOR,ROLE_X
/rest/workspaces/abc*;GET,POST,PUT,DELETE=ROLE_ADMINISTRATOR,ROLE_X
*/rest/workspaces/abc/***;GET,POST,PUT,DELETE=ROLE_ADMINISTRATOR,ROLE_X
/**;GET,POST,DELETE,PUT=ROLE_ADMINISTRATOR
Before, rules were returned by "natural ordering" and the last (/**) was
always read as first matching rule, allowing only rules like the following
(note that GET method is not in the last line)
/rest/workspaces/topp*;GET=ROLE_ADMINISTRATOR
*/rest/workspaces/topp/***;GET=ROLE_ADMINISTRATOR
/**;POST,DELETE,PUT=ROLE_ADMINISTRATOR
Please let me know your opinions
TIA,
Fabrizio
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Geoserver-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-users
