[Commits] (bcm) fix up security (both webapp and slide) so that the
following are true:
commits at osafoundation.org
commits at osafoundation.org
Mon Feb 28 11:53:00 PST 2005
Commit by: bcm
Modified files:
server/docs/TODO.txt 1.9 1.10
server/webapps/share/web/WEB-INF/Domain.xml 1.3 1.4
server/webapps/share/web/WEB-INF/web.xml 1.4 1.5
Log message:
fix up security (both webapp and slide) so that the following are true:
1) only root can access anything in /share/* except as below;
2) all can access /share/files/* with GET/HEAD/OPTIONS
3) only authenticated users can access /share/files/* with any other methods
also remove extraneous stuff from slide config (including DeltaV support, not
clear if we need to support that).
ViewCVS links:
http://cvs.osafoundation.org/index.cgi/server/docs/TODO.txt.diff?r1=text&tr1=1.9&r2=text&tr2=1.10
http://cvs.osafoundation.org/index.cgi/server/webapps/share/web/WEB-INF/Domain.xml.diff?r1=text&tr1=1.3&r2=text&tr2=1.4
http://cvs.osafoundation.org/index.cgi/server/webapps/share/web/WEB-INF/web.xml.diff?r1=text&tr1=1.4&r2=text&tr2=1.5
Index: server/docs/TODO.txt
diff -u server/docs/TODO.txt:1.9 server/docs/TODO.txt:1.10
--- server/docs/TODO.txt:1.9 Thu Feb 24 18:38:45 2005
+++ server/docs/TODO.txt Mon Feb 28 11:52:59 2005
@@ -27,9 +27,6 @@
security:
* figure out why `cadaver http://localhost:8080/share/' gives a 403
Forbidden error immediately (without prompting for credentials)
- * only root can access children of /share/, but all can access
- children of /share/files/ (GET/HEAD unsecured, all others
- secured).
install/configure:
Index: server/webapps/share/web/WEB-INF/Domain.xml
diff -u server/webapps/share/web/WEB-INF/Domain.xml:1.3 server/webapps/share/web/WEB-INF/Domain.xml:1.4
--- server/webapps/share/web/WEB-INF/Domain.xml:1.3 Wed Feb 23 20:23:53 2005
+++ server/webapps/share/web/WEB-INF/Domain.xml Mon Feb 28 11:52:59 2005
@@ -31,13 +31,6 @@
<parameter name="defer-saving">true</parameter>
<parameter name="timeout">120</parameter>
</contentstore>
- <!-- uncomment if you want to use the sample Indexer -->
- <!-- be sure to have Lucene in your classpath -->
- <!--
- <contentindexer classname="org.apache.slide.index.SampleTxtContainsIndexer">
- <parameter name="indexpath">./index</parameter>
- </contentindexer>
- -->
</store>
<store name="principals">
<nodestore classname="com.marathon.security.slide.SpringDAOPrincipalStore">
@@ -117,35 +110,12 @@
a role "/roles/admin"
-->
<permission action="all" subject="/roles/root" inheritable="true"/>
- <permission action="/actions/read-acl" subject="all" inheritable="true" negative="true"/>
- <permission action="/actions/write-acl" subject="all" inheritable="true" negative="true"/>
- <permission action="/actions/unlock" subject="all" inheritable="true" negative="true"/>
- <!-- /users -->
- <objectnode classname="org.apache.slide.structure.SubjectNode" uri="/users">
- <permission action="all" subject="self" inheritable="true"/>
- <permission action="all" subject="unauthenticated" inheritable="true" negative="true"/>
- <!-- /users/root represents the administrator -->
- <objectnode classname="org.apache.slide.structure.SubjectNode" uri="/users/root">
- <revision>
- <property namespace="http://jakarta.apache.org/slide/" name="password">chsrv</property>
- </revision>
- </objectnode>
- </objectnode>
- <!-- /roles -->
- <objectnode classname="org.apache.slide.structure.SubjectNode" uri="/roles">
- <permission action="all" subject="self" inheritable="true"/>
- <permission action="all" subject="unauthenticated" inheritable="true" negative="true"/>
- <objectnode classname="org.apache.slide.structure.SubjectNode" uri="/roles/root">
- <revision>
- <property name="group-member-set"><![CDATA[<D:href xmlns:D='DAV:'>/users/root</D:href>]]></property>
- </revision>
- </objectnode>
- </objectnode>
+ <permission action="all" subject="all" inheritable="true" negative="true"/>
<!-- action -->
<objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions">
<objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions/read">
<revision>
- <property name="privilege-member-set"><![CDATA[<D:href xmlns:D='DAV:'>/actions/read-acl</D:href> <D:href xmlns:D='DAV:'>/actions/read-current-user-privilege-set</D:href>]]></property>
+ <property name="privilege-member-set"/>
</revision>
</objectnode>
<objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions/read-acl">
@@ -160,7 +130,7 @@
</objectnode>
<objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions/write">
<revision>
- <property name="privilege-member-set"><![CDATA[<D:href xmlns:D='DAV:'>/actions/write-acl</D:href> <D:href xmlns:D='DAV:'>/actions/write-properties</D:href> <D:href xmlns:D='DAV:'>/actions/write-content</D:href>]]></property>
+ <property name="privilege-member-set"><![CDATA[<D:href xmlns:D='DAV:'>/actions/write-properties</D:href> <D:href xmlns:D='DAV:'>/actions/write-content</D:href>]]></property>
</revision>
</objectnode>
<objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions/write-acl">
@@ -194,160 +164,11 @@
</revision>
</objectnode>
</objectnode>
+ <!-- shared files -->
<objectnode classname="org.apache.slide.structure.SubjectNode" uri="/files">
<permission action="/actions/read" subject="all" inheritable="true"/>
</objectnode>
- <!-- DeltaV: default history and workspace paths -->
- <objectnode classname="org.apache.slide.structure.SubjectNode" uri="/history">
- <permission action="all" subject="unauthenticated" inheritable="true"/>
- <permission action="/actions/read-acl" subject="owner" inheritable="true"/>
- </objectnode>
- <objectnode classname="org.apache.slide.structure.SubjectNode" uri="/workspace">
- <permission action="all" subject="unauthenticated" inheritable="true"/>
- <permission action="/actions/read-acl" subject="owner" inheritable="true"/>
- </objectnode>
- <objectnode classname="org.apache.slide.structure.SubjectNode" uri="/workingresource">
- <permission action="all" subject="unauthenticated" inheritable="true"/>
- <permission action="/actions/read-acl" subject="owner" inheritable="true"/>
- </objectnode>
</objectnode>
</data>
</namespace>
- <!--
- DeltaV global parameters
- ========================
- * historypath (mandatory=no, default="/history"):
- Specifies a Slide path which determines the location where this DeltaV
- server stores history data.
-
- * workspacepath (mandatory=no, default="/workspace"):
- Specifies a Slide path which determines the location where this DeltaV
- server allows workspaces to reside.
-
- * workingresourcepath (mandatory=no, default="/workingresource"):
- Specifies a Slide path which determines the location where this DeltaV
- server stores working resources.
-
- * auto-version (mandatory=no, default="checkout-checkin"):
- Controls the DeltaV auto-version behaviour.
-
- * auto-version-control (mandatory=no, default="false"):
- Indicates if a resource just created by a PUT should be set under
- version-control.
-
- * versioncontrol-exclude (mandatory=no, default=""):
- Specifies a Slide path which determines resources which are excluded from version-control.
- The default value "" makes no path being excluded.
-
- * checkout-fork (mandatory=no, default="forbidden"):
- Controls the DeltaV check-out behaviour when a version is already
- checked-out or has a successor.
-
- * checkin-fork (mandatory=no, default="forbidden"):
- Controls the DeltaV check-out behaviour when a version has already a
- successor.
-
- * standardLivePropertiesClass (mandatory=no,
- default="org.apache.slide.webdav.util.resourcekind.AbstractResourceKind"):
- Determines the "agent" knowing about what the standard live properties are.
- It should be a loadable class containing the following static methods:
- - boolean isLiveProperty(String propName)
- - boolean isProtectedProperty(String propName)
- - boolean isComputedProperty(String propName)
- - Set getAllLiveProperties()
- - Set getAllProtectedProperties()
- - Set getAllComputedProperties()
-
- * uriRedirectorClass (mandatory=no,
- default="org.apache.slide.webdav.util.DeltavUriRedirector"):
- Determines the URI redirector class. The DeltaV URI redirector is in
- charge of the following redirections:
- - version URI to history URI, e.g. /history/2/1.4 to /history/2
- - latest revision number for history resource to 0.0
- - latest revision number for version resource to last URI token,
- e.g. /history/2/1.4 to 1.4
- It should be a loadable class containing the following static methods:
- - String redirectUri(String uri)
- - NodeRevisionNumber redirectLatestRevisionNumber(String uri)
- -->
- <parameter name="historypath">/history</parameter>
- <parameter name="workspacepath">/workspace</parameter>
- <parameter name="workingresourcepath">/workingresource</parameter>
- <parameter name="auto-version">checkout-checkin</parameter>
- <parameter name="auto-version-control">false</parameter>
- <parameter name="versioncontrol-exclude"/>
- <parameter name="checkout-fork">forbidden</parameter>
- <parameter name="checkin-fork">forbidden</parameter>
-
-
- <!-- Extractor configuration -->
- <extractors>
- <extractor classname="org.apache.slide.extractor.SimpleXmlExtractor" uri="/files/articles/test.xml">
- <configuration>
- <instruction property="title" xpath="/article/title/text()" />
- <instruction property="summary" xpath="/article/summary/text()" />
- </configuration>
- </extractor>
- <extractor classname="org.apache.slide.extractor.OfficeExtractor" uri="/files/docs/">
- <configuration>
- <instruction property="author" id="SummaryInformation-0-4" />
- <instruction property="application" id="SummaryInformation-0-18" />
- </configuration>
- </extractor>
- </extractors>
-
- <!-- Event configuration -->
- <events>
- <event classname="org.apache.slide.webdav.event.WebdavEvent" enable="true" />
- <event classname="org.apache.slide.event.ContentEvent" enable="true" />
- <event classname="org.apache.slide.event.ContentEvent" method="retrieve" enable="false" />
- <event classname="org.apache.slide.event.EventCollection" enable="true" />
- <event classname="org.apache.slide.event.TransactionEvent" enable="true" />
-
- <event classname="org.apache.slide.event.MacroEvent" enable="true"/>
-
- <!--listener classname="org.apache.slide.util.event.EventLogger" /-->
- <listener classname="org.apache.slide.event.VetoableEventCollector" />
- <listener classname="org.apache.slide.event.TransientEventCollector" />
- <listener classname="org.apache.slide.webdav.event.NotificationTrigger">
- <configuration>
- <notification include-events="false" />
- <persist-subscriptions filename="subscriptions.xml" />
- </configuration>
- </listener>
- <listener classname="org.apache.slide.extractor.PropertyExtractorTrigger" />
- <listener classname="org.apache.slide.search.IndexTrigger">
- <configuration>
- <indexer classname="org.apache.slide.search.LoggingIndexer" synchronous="false" uri="/files/articles" />
- </configuration>
- </listener>
-
- <!-- Uncomment for cluster support. Be sure to local-host and repository-host -->
- <!--
- <listener classname="org.apache.slide.cluster.ClusterCacheRefresher">
- <configuration>
- <node local-host="local.host.domain"
- local-port="4444"
- repository-host="remote.host.domain"
- repository-port="8080"
- repository-protocol="http"
- username="root"
- password="root"
- base-uri="/files/"
- />
- </configuration>
- </listener>
- -->
-
- <listener classname="org.apache.slide.macro.MacroPropertyUpdater">
- <!-- Listener that updates some properties if resources are
- copied or moved. This requires MacroEvents enabled (at
- least methods copy and move) -->
- <configuration>
- <update-displayname>true</update-displayname>
- <update-owner-on-move>false</update-owner-on-move>
- <update-owner-on-copy>true</update-owner-on-copy>
- </configuration>
- </listener>
- </events>
</slide>
Index: server/webapps/share/web/WEB-INF/web.xml
diff -u server/webapps/share/web/WEB-INF/web.xml:1.4 server/webapps/share/web/WEB-INF/web.xml:1.5
--- server/webapps/share/web/WEB-INF/web.xml:1.4 Wed Feb 23 20:23:53 2005
+++ server/webapps/share/web/WEB-INF/web.xml Mon Feb 28 11:52:59 2005
@@ -109,20 +109,60 @@
</servlet-mapping>
<security-constraint>
<web-resource-collection>
- <web-resource-name>File Share</web-resource-name>
- <url-pattern>/*</url-pattern>
+ <web-resource-name>Slide Internal</web-resource-name>
+ <url-pattern>/</url-pattern>
+ <http-method>GET</http-method>
+ <http-method>HEAD</http-method>
+ <http-method>OPTIONS</http-method>
<http-method>COPY</http-method>
<http-method>DELETE</http-method>
+ <http-method>LOCK</http-method>
+ <http-method>MKCOL</http-method>
+ <http-method>MOVE</http-method>
+ <http-method>POST</http-method>
+ <http-method>PROPFIND</http-method>
+ <http-method>PROPPATCH</http-method>
+ <http-method>PUT</http-method>
+ <http-method>UNLOCK</http-method>
+ <http-method>VERSION-CONTROL</http-method>
+ <http-method>REPORT</http-method>
+ <http-method>CHECKIN</http-method>
+ <http-method>CHECKOUT</http-method>
+ <http-method>UNCHECKOUT</http-method>
+ <http-method>MKWORKSPACE</http-method>
+ <http-method>UPDATE</http-method>
+ <http-method>LABEL</http-method>
+ <http-method>MERGE</http-method>
+ <http-method>BASELINE-CONTROL</http-method>
+ <http-method>MKACTIVITY</http-method>
+ <http-method>ACL</http-method>
+ <http-method>SEARCH</http-method>
+ <http-method>BIND</http-method>
+ <http-method>UNBIND</http-method>
+ <http-method>REBIND</http-method>
+ <http-method>SUBSCRIBE</http-method>
+ <http-method>UNSUBSCRIBE</http-method>
+ <http-method>POLL</http-method>
+ <http-method>NOTIFY</http-method>
+ </web-resource-collection>
+ <auth-constraint>
+ <role-name>root</role-name>
+ </auth-constraint>
+ </security-constraint>
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>File Share</web-resource-name>
+ <url-pattern>/</url-pattern>
<!--
<http-method>GET</http-method>
<http-method>HEAD</http-method>
+ <http-method>OPTIONS</http-method>
-->
+ <http-method>COPY</http-method>
+ <http-method>DELETE</http-method>
<http-method>LOCK</http-method>
<http-method>MKCOL</http-method>
<http-method>MOVE</http-method>
-<!--
- <http-method>OPTIONS</http-method>
--->
<http-method>POST</http-method>
<http-method>PROPFIND</http-method>
<http-method>PROPPATCH</http-method>
@@ -153,11 +193,11 @@
<role-name>root</role-name>
<role-name>user</role-name>
</auth-constraint>
+ </security-constraint>
<resource-env-ref>
<resource-env-ref-name>jdbc/ChandlerUserDB</resource-env-ref-name>
<resource-env-ref-type>javax.sql.DataSource</resource-env-ref-type>
</resource-env-ref>
- </security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Chandler Server</realm-name>
More information about the Commits
mailing list