Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implemented TomcatRolesPrincipalProvider #314

Closed
wants to merge 1 commit into from
Closed

Implemented TomcatRolesPrincipalProvider #314

wants to merge 1 commit into from

Conversation

ksclarke
Copy link
Contributor

Submitting this as a PR to start the conversation. Not sure if this is enough or whether more is needed.

The use case as I understand it... we want to be able to configure roles in the Tomcat tomcat-users.xml file that will be treated as principals for access to resources. A sample tomcat-users.xml file might look like:

<tomcat-users>
  <!-- Fedora roles -->
  <role rolename="fedoraAdmin"/>
  <role rolename="fedoraUser"/>

  <!-- AIC roles -->
  <role rolename="aic-scraper"/>

  <user username="fcindexer" password="thepasswd" roles="fedoraUser"/>
</tomcat-users>

With this TomcatRolesPrincipalProvider class, access to a FF4 object can be given to the aic-scraper role (as a principal):

{
  "aic-scraper" : [ "reader" ]
}

And the fcindexer will not be able to access the object. When the aic-scraper role is added to the fcindexer user, though:

<user username="fcindexer" password="thepasswd" roles="fedoraUser,aic-scraper"/>

the fcindexer will then be able to access that object.

This is tested with Tomcat7... if my understanding of the needs of this ticket is correct, I can check to see what versions of Tomcat (6, etc.) are handled by it, or whether more code is needed to support them.

I'm also not quite sure how to write tests for this since it's a container specific thing (i.e., checks a Catalina class that won't be found in our Jetty dev environment). As you can see in the code, reflection is used to avoid container specific dependencies.

Awaiting feedback for possible revisions... thanks.

@ksclarke
Copy link
Contributor Author

Just a note that the user still has to have the 'fedoraUser' role (just having the 'aic-scraper' role isn't enough to connect to FF4 with auth-constraints).

@awoods
Copy link

awoods commented Apr 22, 2014

@ksclarke, as noted in the following thread:
https://groups.google.com/d/msg/fedora-tech/gCV_yLB3_Ck/7KREICU3KtsJ

I would expect from a security perspective that we will not want to "reflect" our way into extracting all of the tomcat-user roles, but instead the configuration of TomcatRolesPrincipalProvider would list expected (or permissible) role/group names, and then check by using HttpServletRequest.isUserInRole(String role) if any of the expected roles are in the requesting user's attribute set.

@ksclarke
Copy link
Contributor Author

Okay, thanks, closing this PR then and will open a different one with that approach.

Edit: I'm not sure I understand why reflecting them from the tomcat config is a security issue, though; would welcome learning about that if you get the chance @awoods (know you're busy with the conference this week... no hurry).

@ksclarke ksclarke closed this Apr 23, 2014
@ksclarke ksclarke mentioned this pull request Apr 23, 2014
Closed
@ksclarke ksclarke deleted the TomcatRolesPrincipalProvider-69444656 branch May 2, 2014 14:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@ksclarke @awoods