On Thu, May 31, 2012 at 3:07 PM, Fabrizio Tringali <[email protected]> wrote: > Hi everybody, > > I spent a day trying to setup REST security configuration (rest.properties) > in a way that allows free access of a ROLE_X to workspace "abc" locking down > others. > > Imho, securing the service by Ant patterns without an "ordered" list of > rules is too difficult. > > I didn't find a way to satisfy my requirement in such a situation, so I did > some little changes to trunk code (I'll send diff and .java files if > necessary): TreeSet -> LinkedHashSet and so on. > > Now, via rest.properties I could take advantage of all capabilities of > Spring Security.... > > /rest;GET=ROLE_ADMINISTRATOR,ROLE_X > /rest/workspaces*;GET=ROLE_ADMINISTRATOR,ROLE_X > /rest/workspaces/abc*;GET,POST,PUT,DELETE=ROLE_ADMINISTRATOR,ROLE_X > /rest/workspaces/abc/**;GET,POST,PUT,DELETE=ROLE_ADMINISTRATOR,ROLE_X > /**;GET,POST,DELETE,PUT=ROLE_ADMINISTRATOR > > Before, rules were returned by "natural ordering" and the last (/**) was > always read as first matching rule, allowing only rules like the following > (note that GET method is not in the last line) > > /rest/workspaces/topp*;GET=ROLE_ADMINISTRATOR > /rest/workspaces/topp/**;GET=ROLE_ADMINISTRATOR > /**;POST,DELETE,PUT=ROLE_ADMINISTRATOR > > > Please let me know your opinions
The approach suggested seems to work. In general I don't like rule systems that work based on rule order (a-la iptables) when it's also possible to apply a specificify approach, which does not require ordering instead: it's the CSS approach, where the most specific rule applies regardless of the order. That said, don't know if it's possible to bend spring to use a CSS-like approach, and how effort it would be. It would be nice if you could provide a patch and attach it to a ticket in jira. Cheers Andrea -- Ing. Andrea Aime GeoSolutions S.A.S. Tech lead Via Poggio alle Viti 1187 55054 Massarosa (LU) Italy phone: +39 0584 962313 fax: +39 0584 962313 mob: +39 339 8844549 http://www.geo-solutions.it http://geo-solutions.blogspot.com/ http://www.youtube.com/user/GeoSolutionsIT http://www.linkedin.com/in/andreaaime http://twitter.com/geowolf ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Geoserver-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/geoserver-users
