[Commits] (bcm) fix up security (both webapp and slide) so that the following are true:

commits at osafoundation.org commits at osafoundation.org
Mon Feb 28 11:53:00 PST 2005


Commit by: bcm
Modified files:
server/docs/TODO.txt 1.9 1.10
server/webapps/share/web/WEB-INF/Domain.xml 1.3 1.4
server/webapps/share/web/WEB-INF/web.xml 1.4 1.5

Log message:
fix up security (both webapp and slide) so that the following are true:

1) only root can access anything in /share/* except as below;
2) all can access /share/files/* with GET/HEAD/OPTIONS
3) only authenticated users can access /share/files/* with any other methods

also remove extraneous stuff from slide config (including DeltaV support, not
clear if we need to support that).


ViewCVS links:
http://cvs.osafoundation.org/index.cgi/server/docs/TODO.txt.diff?r1=text&tr1=1.9&r2=text&tr2=1.10
http://cvs.osafoundation.org/index.cgi/server/webapps/share/web/WEB-INF/Domain.xml.diff?r1=text&tr1=1.3&r2=text&tr2=1.4
http://cvs.osafoundation.org/index.cgi/server/webapps/share/web/WEB-INF/web.xml.diff?r1=text&tr1=1.4&r2=text&tr2=1.5

Index: server/docs/TODO.txt
diff -u server/docs/TODO.txt:1.9 server/docs/TODO.txt:1.10
--- server/docs/TODO.txt:1.9	Thu Feb 24 18:38:45 2005
+++ server/docs/TODO.txt	Mon Feb 28 11:52:59 2005
@@ -27,9 +27,6 @@
 security:
  * figure out why `cadaver http://localhost:8080/share/' gives a 403
    Forbidden error immediately (without prompting for credentials)
- * only root can access children of /share/, but all can access
-   children of /share/files/ (GET/HEAD unsecured, all others
-   secured).
 
 install/configure:
 

Index: server/webapps/share/web/WEB-INF/Domain.xml
diff -u server/webapps/share/web/WEB-INF/Domain.xml:1.3 server/webapps/share/web/WEB-INF/Domain.xml:1.4
--- server/webapps/share/web/WEB-INF/Domain.xml:1.3	Wed Feb 23 20:23:53 2005
+++ server/webapps/share/web/WEB-INF/Domain.xml	Mon Feb 28 11:52:59 2005
@@ -31,13 +31,6 @@
                     <parameter name="defer-saving">true</parameter>
                     <parameter name="timeout">120</parameter>
                 </contentstore>
-                <!-- uncomment if you want to use the sample Indexer -->
-                <!-- be sure to have Lucene in your classpath             -->
-                <!--
-                <contentindexer classname="org.apache.slide.index.SampleTxtContainsIndexer">
-                <parameter name="indexpath">./index</parameter>
-                </contentindexer>
-        -->
             </store>
             <store name="principals">
                 <nodestore classname="com.marathon.security.slide.SpringDAOPrincipalStore">
@@ -117,35 +110,12 @@
                 a role               "/roles/admin"
                 -->
                 <permission action="all" subject="/roles/root" inheritable="true"/>
-                <permission action="/actions/read-acl" subject="all" inheritable="true" negative="true"/>
-                <permission action="/actions/write-acl" subject="all" inheritable="true" negative="true"/>
-                <permission action="/actions/unlock" subject="all" inheritable="true" negative="true"/>
-                <!-- /users -->
-                <objectnode classname="org.apache.slide.structure.SubjectNode" uri="/users">
-                    <permission action="all" subject="self" inheritable="true"/>
-                    <permission action="all" subject="unauthenticated" inheritable="true" negative="true"/>
-                    <!-- /users/root represents the administrator -->
-                    <objectnode classname="org.apache.slide.structure.SubjectNode" uri="/users/root">
-                        <revision>
-                            <property namespace="http://jakarta.apache.org/slide/" name="password">chsrv</property> 
-                        </revision>
-                    </objectnode>
-                </objectnode>
-                <!-- /roles -->
-                <objectnode classname="org.apache.slide.structure.SubjectNode" uri="/roles">
-                    <permission action="all" subject="self" inheritable="true"/>
-                    <permission action="all" subject="unauthenticated" inheritable="true" negative="true"/>
-                    <objectnode classname="org.apache.slide.structure.SubjectNode" uri="/roles/root">
-                        <revision>
-                            <property name="group-member-set"><![CDATA[<D:href xmlns:D='DAV:'>/users/root</D:href>]]></property>
-                        </revision>
-                    </objectnode>
-                </objectnode>
+                <permission action="all" subject="all" inheritable="true" negative="true"/>
                 <!-- action -->
                 <objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions">
                     <objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions/read">
                         <revision>
-                            <property name="privilege-member-set"><![CDATA[<D:href xmlns:D='DAV:'>/actions/read-acl</D:href> <D:href xmlns:D='DAV:'>/actions/read-current-user-privilege-set</D:href>]]></property>
+                            <property name="privilege-member-set"/>
                         </revision>
                     </objectnode>
                     <objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions/read-acl">
@@ -160,7 +130,7 @@
                     </objectnode>
                     <objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions/write">
                         <revision>
-                            <property name="privilege-member-set"><![CDATA[<D:href xmlns:D='DAV:'>/actions/write-acl</D:href> <D:href xmlns:D='DAV:'>/actions/write-properties</D:href> <D:href xmlns:D='DAV:'>/actions/write-content</D:href>]]></property>
+                            <property name="privilege-member-set"><![CDATA[<D:href xmlns:D='DAV:'>/actions/write-properties</D:href> <D:href xmlns:D='DAV:'>/actions/write-content</D:href>]]></property>
                         </revision>
                     </objectnode>
                     <objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions/write-acl">
@@ -194,160 +164,11 @@
                         </revision>
                     </objectnode>
                 </objectnode>
+                <!-- shared files -->
                 <objectnode classname="org.apache.slide.structure.SubjectNode" uri="/files">
                     <permission action="/actions/read" subject="all" inheritable="true"/>
                 </objectnode>
-                <!-- DeltaV: default history and workspace paths -->
-                <objectnode classname="org.apache.slide.structure.SubjectNode" uri="/history">
-                    <permission action="all" subject="unauthenticated" inheritable="true"/>
-                    <permission action="/actions/read-acl" subject="owner" inheritable="true"/>
-                </objectnode>
-                <objectnode classname="org.apache.slide.structure.SubjectNode" uri="/workspace">
-                    <permission action="all" subject="unauthenticated" inheritable="true"/>
-                    <permission action="/actions/read-acl" subject="owner" inheritable="true"/>
-                </objectnode>
-                <objectnode classname="org.apache.slide.structure.SubjectNode" uri="/workingresource">
-                    <permission action="all" subject="unauthenticated" inheritable="true"/>
-                    <permission action="/actions/read-acl" subject="owner" inheritable="true"/>
-                </objectnode>
             </objectnode>
         </data>
     </namespace>
-    <!--
-    DeltaV global parameters
-    ========================
-    * historypath (mandatory=no, default="/history"):
-    Specifies a Slide path which determines the location where this DeltaV
-    server stores history data.
-
-    * workspacepath (mandatory=no, default="/workspace"):
-    Specifies a Slide path which determines the location where this DeltaV
-    server allows workspaces to reside.
-
-    * workingresourcepath (mandatory=no, default="/workingresource"):
-    Specifies a Slide path which determines the location where this DeltaV
-    server stores working resources.
-
-    * auto-version (mandatory=no, default="checkout-checkin"):
-    Controls the DeltaV auto-version behaviour.
-
-    * auto-version-control (mandatory=no, default="false"):
-    Indicates if a resource just created by a PUT should be set under
-    version-control.
-
-    * versioncontrol-exclude (mandatory=no, default=""):
-    Specifies a Slide path which determines resources which are excluded from version-control.
-    The default value "" makes no path being excluded.
-
-    * checkout-fork (mandatory=no, default="forbidden"):
-    Controls the DeltaV check-out behaviour when a version is already
-    checked-out or has a successor.
-
-    * checkin-fork (mandatory=no, default="forbidden"):
-    Controls the DeltaV check-out behaviour when a version has already a
-    successor.
-
-    * standardLivePropertiesClass (mandatory=no,
-    default="org.apache.slide.webdav.util.resourcekind.AbstractResourceKind"):
-    Determines the "agent" knowing about what the standard live properties are.
-    It should be a loadable class containing the following static methods:
-    - boolean isLiveProperty(String propName)
-    - boolean isProtectedProperty(String propName)
-    - boolean isComputedProperty(String propName)
-    - Set getAllLiveProperties()
-    - Set getAllProtectedProperties()
-    - Set getAllComputedProperties()
-
-    * uriRedirectorClass (mandatory=no,
-    default="org.apache.slide.webdav.util.DeltavUriRedirector"):
-    Determines the URI redirector class. The DeltaV URI redirector is in
-    charge of the following redirections:
-    - version URI to history URI, e.g. /history/2/1.4 to /history/2
-    - latest revision number for history resource to 0.0
-    - latest revision number for version resource to last URI token,
-    e.g. /history/2/1.4 to 1.4
-    It should be a loadable class containing the following static methods:
-    - String redirectUri(String uri)
-    - NodeRevisionNumber redirectLatestRevisionNumber(String uri)
-    -->
-    <parameter name="historypath">/history</parameter>
-    <parameter name="workspacepath">/workspace</parameter>
-    <parameter name="workingresourcepath">/workingresource</parameter>
-    <parameter name="auto-version">checkout-checkin</parameter>
-    <parameter name="auto-version-control">false</parameter>
-    <parameter name="versioncontrol-exclude"/>
-    <parameter name="checkout-fork">forbidden</parameter>
-    <parameter name="checkin-fork">forbidden</parameter>
-
-
-    <!-- Extractor configuration -->
-    <extractors>
-        <extractor classname="org.apache.slide.extractor.SimpleXmlExtractor" uri="/files/articles/test.xml">
-            <configuration>
-                <instruction property="title" xpath="/article/title/text()" />
-                <instruction property="summary" xpath="/article/summary/text()" />
-            </configuration>
-        </extractor>
-        <extractor classname="org.apache.slide.extractor.OfficeExtractor" uri="/files/docs/">
-            <configuration>
-                <instruction property="author" id="SummaryInformation-0-4" />
-                <instruction property="application" id="SummaryInformation-0-18" />
-            </configuration>
-        </extractor>
-    </extractors>
-
-    <!-- Event configuration -->
-    <events>
-        <event classname="org.apache.slide.webdav.event.WebdavEvent" enable="true" />
-        <event classname="org.apache.slide.event.ContentEvent" enable="true" />
-        <event classname="org.apache.slide.event.ContentEvent" method="retrieve" enable="false" />
-        <event classname="org.apache.slide.event.EventCollection" enable="true" />
-        <event classname="org.apache.slide.event.TransactionEvent" enable="true" />
-
-        <event classname="org.apache.slide.event.MacroEvent" enable="true"/>
-
-        <!--listener classname="org.apache.slide.util.event.EventLogger" /-->
-        <listener classname="org.apache.slide.event.VetoableEventCollector" />
-        <listener classname="org.apache.slide.event.TransientEventCollector" />
-        <listener classname="org.apache.slide.webdav.event.NotificationTrigger">
-            <configuration>
-                <notification include-events="false" />
-                <persist-subscriptions filename="subscriptions.xml" />
-            </configuration>
-        </listener>
-        <listener classname="org.apache.slide.extractor.PropertyExtractorTrigger" />
-        <listener classname="org.apache.slide.search.IndexTrigger">
-            <configuration>
-                <indexer classname="org.apache.slide.search.LoggingIndexer" synchronous="false" uri="/files/articles" />
-            </configuration>
-        </listener>
-        
-		<!-- Uncomment for cluster support. Be sure to local-host and repository-host -->
-		<!--
-		<listener classname="org.apache.slide.cluster.ClusterCacheRefresher">
-			<configuration>
-				<node local-host="local.host.domain"
-				      local-port="4444"
-					  repository-host="remote.host.domain"
-					  repository-port="8080"
-					  repository-protocol="http"
-					  username="root"
-					  password="root"
-					  base-uri="/files/"
-				/>
-			</configuration>
-		</listener>
-		-->
-
-        <listener classname="org.apache.slide.macro.MacroPropertyUpdater">
-          <!-- Listener that updates some properties if resources are 
-               copied or moved.  This requires MacroEvents enabled (at 
-               least methods copy and move) -->
-          <configuration>
-            <update-displayname>true</update-displayname>
-            <update-owner-on-move>false</update-owner-on-move>
-            <update-owner-on-copy>true</update-owner-on-copy>
-          </configuration>
-        </listener>
-    </events>
 </slide>

Index: server/webapps/share/web/WEB-INF/web.xml
diff -u server/webapps/share/web/WEB-INF/web.xml:1.4 server/webapps/share/web/WEB-INF/web.xml:1.5
--- server/webapps/share/web/WEB-INF/web.xml:1.4	Wed Feb 23 20:23:53 2005
+++ server/webapps/share/web/WEB-INF/web.xml	Mon Feb 28 11:52:59 2005
@@ -109,20 +109,60 @@
   </servlet-mapping>
   <security-constraint>
     <web-resource-collection>
-      <web-resource-name>File Share</web-resource-name>
-      <url-pattern>/*</url-pattern>
+      <web-resource-name>Slide Internal</web-resource-name>
+      <url-pattern>/</url-pattern>
+      <http-method>GET</http-method>
+      <http-method>HEAD</http-method>
+      <http-method>OPTIONS</http-method>
       <http-method>COPY</http-method>
       <http-method>DELETE</http-method>
+      <http-method>LOCK</http-method>
+      <http-method>MKCOL</http-method>
+      <http-method>MOVE</http-method>
+      <http-method>POST</http-method>
+      <http-method>PROPFIND</http-method>
+      <http-method>PROPPATCH</http-method>
+      <http-method>PUT</http-method>
+      <http-method>UNLOCK</http-method>
+      <http-method>VERSION-CONTROL</http-method>
+      <http-method>REPORT</http-method>
+      <http-method>CHECKIN</http-method>
+      <http-method>CHECKOUT</http-method>
+      <http-method>UNCHECKOUT</http-method>
+      <http-method>MKWORKSPACE</http-method>
+      <http-method>UPDATE</http-method>
+      <http-method>LABEL</http-method>
+      <http-method>MERGE</http-method>
+      <http-method>BASELINE-CONTROL</http-method>
+      <http-method>MKACTIVITY</http-method>
+      <http-method>ACL</http-method>
+      <http-method>SEARCH</http-method>
+      <http-method>BIND</http-method>
+      <http-method>UNBIND</http-method>
+      <http-method>REBIND</http-method>
+      <http-method>SUBSCRIBE</http-method>
+      <http-method>UNSUBSCRIBE</http-method>
+      <http-method>POLL</http-method>
+      <http-method>NOTIFY</http-method>
+    </web-resource-collection>
+    <auth-constraint>
+      <role-name>root</role-name>
+    </auth-constraint>
+  </security-constraint>
+  <security-constraint>
+    <web-resource-collection>
+      <web-resource-name>File Share</web-resource-name>
+      <url-pattern>/</url-pattern>
 <!--
       <http-method>GET</http-method>
       <http-method>HEAD</http-method>
+      <http-method>OPTIONS</http-method>
 -->
+      <http-method>COPY</http-method>
+      <http-method>DELETE</http-method>
       <http-method>LOCK</http-method>
       <http-method>MKCOL</http-method>
       <http-method>MOVE</http-method>
-<!--
-      <http-method>OPTIONS</http-method>
--->
       <http-method>POST</http-method>
       <http-method>PROPFIND</http-method>
       <http-method>PROPPATCH</http-method>
@@ -153,11 +193,11 @@
       <role-name>root</role-name>
       <role-name>user</role-name>
     </auth-constraint>
+  </security-constraint>
   <resource-env-ref>
     <resource-env-ref-name>jdbc/ChandlerUserDB</resource-env-ref-name>
     <resource-env-ref-type>javax.sql.DataSource</resource-env-ref-type>
   </resource-env-ref>
-  </security-constraint>
   <login-config>
     <auth-method>BASIC</auth-method>
     <realm-name>Chandler Server</realm-name>



More information about the Commits mailing list