| 3 | | || '''Date''' || YYYY/MM/DD || |
| 4 | | || '''Contact(s)''' || List of author(s). || |
| 5 | | || '''Last edited''' || |
| 6 | | || '''Status''' || draft, being discussed, in progress, complete, rejected, deferred || |
| 7 | | || '''Assigned to release''' || Release number, to be determined || |
| 8 | | || '''Resources''' || Indicate if the required resources are available to complete the proposal || |
| | 3 | || '''Date''' || 2010/12/15 || |
| | 4 | || '''Contact(s)''' || [http://wiki.osgeo.org/wiki/User:Heikki Heikki Doeleman] & [http://wiki.osgeo.org/wiki/User:Josegar Jose Garcia] || |
| | 5 | || '''Last edited''' || 2010/12/15 || |
| | 6 | || '''Status''' || Draft In Progress || |
| | 7 | || '''Assigned to release''' || 2.7 || |
| | 8 | || '''Resources''' || Nordic countries (Denmark, Finland, Norway and Sweden) || |
| 31 | | The current configuration is .... A change to .... |
| | 31 | This document describes the architecture we propose to enable and enhance the use of various security providers with GeoNetwork opensource. We will give an overview of the current way of dealing with security in GeoNetwork 2.x and GeoNetwork 3.x, after which we will present this proposal in more detail. |
| | 32 | |
| | 33 | This proposal entails the use of [http://static.springsource.org/spring-security/site/ Spring Security], a well-known framework that supports the use of one or several security providers. It also entails the introduction of a dedicated GN security component (GAAP), which is already in use in GeoNetwork 3.x, into GeoNetwork 2.x. |
| | 34 | |
| | 35 | === current situation in GeoNetwork 2.x === |
| | 36 | |
| | 37 | This section describes the implementation of authentication and authorization in the current releases of GeoNetwork 2.x (as also in trunk). |
| | 38 | |
| | 39 | ==== Users and Groups ==== |
| | 40 | |
| | 41 | GeoNetwork maintains DBMS tables for Users and Groups. A User is an entity that can log in, log out, has a Profile (this is best understood as a Role), and is part of one or more Groups. Access to metadata is restricted by Profile and Group. The Group privileges to access a metadata are stored in a DBMS table and also in the Lucene index. In the code these access privileges are overridden by checking on Profile (esp. Users with Profile "Administrator" are permitted access to all metadata). The metadata access is further specified in access types (View, Edit, and a few other ones). |
| | 42 | |
| | 43 | ==== LDAP ==== |
| | 44 | |
| | 45 | It is possible to configure an external LDAP security provider. In this case, after a successful login, the User information obtained from LDAP is temporarily inserted into the GeoNetwork Users DBMS table. When the session ends (upon logout or expiration) they remain in the database. It is not possible to configure more than one LDAP provider. |
| | 46 | |
| | 47 | === current situation in GeoNetwork 3.x === |
| | 48 | |
| | 49 | This section describes the implementation of authentication and authorization in the current branch of GeoNetwork 3.x. |
| | 50 | |
| | 51 | In GeoNetwork 3.x the picture is slightly changed because of the introduction of a new, separate Web application, GeoNetwork CSW/ebRIM. This application restricts access to its ebRIM metadata based on the privileges for the ISO19139 metadata (in "Legacy" GeoNetwork) that the ebRIM metadata was created for. In order to separate concerns an extra new Web application was introduced, GAAP (GeoNetwork Authentication & Authorization Application). |
| | 52 | |
| | 53 | The GeoNetwork Users and Groups DBMS tables, as well as the metadata privileges table in GeoNetwork 3.x are moved to GAAP. GeoNetwork CSW/ebRIM consults GAAP to control access to its ebRIM metadata. Legacy GeoNetwork consults GAAP to control access to its metadata. |
| | 54 | |
| | 55 | === outline of proposed changes === |
| | 56 | |
| | 57 | This section summarizes our proposed changes. The changes are intended to: |
| | 58 | |
| | 59 | * allow for the use of more than one authentication provider, simultaneously |
| | 60 | * add support for [http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language SAML]-based authentication (Single-Sign On) |
| | 61 | * allow for the use of other types of external security providers |
| | 62 | * improve on the implementation when using GeoNetwork Authentication and/or one or more external security providers |
| | 63 | * improve performance as compared to the current GeoNetwork 3.x code |
| | 64 | * The proposal involves the introduction of GAAP in GeoNetwork 2.x and modifications to the working of GAAP and Legacy GeoNetwork. |
| | 65 | |
