| | 1 | = Improved security = |
| | 2 | |
| | 3 | || '''Date''' || 2012/08/01 || |
| | 4 | || '''Contact(s)''' || [http://wiki.osgeo.org/wiki/User:Jeichar Jesse Eichar], Francois Prunayre || |
| | 5 | || '''Last edited''' || || |
| | 6 | || '''Status''' || draft || |
| | 7 | || '''Assigned to release''' || 2.9.x || |
| | 8 | || '''Resources''' || Funding Ifremer || |
| | 9 | || '''Code''' || https://github.com/jesseeichar/core-geonetwork/commits/feature/spring-security || |
| | 10 | |
| | 11 | == Overview == |
| | 12 | |
| | 13 | This proposal entails the use of Spring Security (http://www.springsource.org/spring-security), a well-known framework that supports the use of one or several security providers. Main goals are: |
| | 14 | * SSO configuration (CAS) |
| | 15 | * improve LDAP support |
| | 16 | * support more than one authentication provider |
| | 17 | * ... and keep local user database and shibboleth support. |
| | 18 | |
| | 19 | |
| | 20 | === Proposal Type === |
| | 21 | * '''Type''': Security |
| | 22 | * '''App''': !GeoNetwork |
| | 23 | * '''Module''': |
| | 24 | |
| | 25 | === Links === |
| | 26 | |
| | 27 | * '''Email discussions''': |
| | 28 | * '''IRC discussions''': |
| | 29 | * '''Related work''': |
| | 30 | * http://trac.osgeo.org/geonetwork/wiki/proposals/ImprovedSecurityArchitecture |
| | 31 | * [wiki:Adding CAS authentication support] |
| | 32 | |
| | 33 | |
| | 34 | === Voting History === |
| | 35 | |
| | 36 | * None as yet |
| | 37 | |
| | 38 | ---- |
| | 39 | |
| | 40 | |
| | 41 | == Proposal == |
| | 42 | |
| | 43 | Right now the user-profiles configuration file is used to control what profiles exist and what profiles can access which services. |
| | 44 | This proposal moves the security control from user-profiles to spring-security. |
| | 45 | |
| | 46 | Example: |
| | 47 | {{{ |
| | 48 | <sec:intercept-url pattern="/srv/.*/group.remove(|!).*" access="hasRole('Administrator')"></sec:intercept-url> |
| | 49 | }}} |
| | 50 | |
| | 51 | === Configuration === |
| | 52 | |
| | 53 | A config-security.xml file is added to: |
| | 54 | * configure access for GeoNetwork services |
| | 55 | * configure authentication provider(s) |
| | 56 | |
| | 57 | |
| | 58 | === LDAP improvements === |
| | 59 | |
| | 60 | LDAP support is similar as the current one, creating a local user in GeoNetwork database. The following improvements have been done: |
| | 61 | |
| | 62 | * Support for non anonymous binding |
| | 63 | * Support full user property mapping to populate all information for a user (possibility to set default value for all fields) |
| | 64 | {{{ |
| | 65 | #ldapUserContextMapper.mapping[USER TABLE COLUMN]=LDAP ATTRIBUTE,DEFAULT VALUE |
| | 66 | |
| | 67 | ldapUserContextMapper.mapping[name]=cn, |
| | 68 | ldapUserContextMapper.mapping[surname]=givenName, |
| | 69 | ldapUserContextMapper.mapping[mail]=mail,data@myorganization.org |
| | 70 | ldapUserContextMapper.mapping[organisation]=,myorganization |
| | 71 | ldapUserContextMapper.mapping[kind]=, |
| | 72 | ldapUserContextMapper.mapping[address]=, |
| | 73 | ldapUserContextMapper.mapping[zip]=, |
| | 74 | ldapUserContextMapper.mapping[state]=, |
| | 75 | ldapUserContextMapper.mapping[city]=, |
| | 76 | ldapUserContextMapper.mapping[country]=, |
| | 77 | ldapUserContextMapper.mapping[privilege]=listesiteweb,sample |
| | 78 | ldapUserContextMapper.mapping[profile]=,Guest |
| | 79 | }}} |
| | 80 | * Manage user groups and profiles from LDAP information or from local database |
| | 81 | * Support to retrieve a list of groups (and not only one) from an attribute or using a pattern |
| | 82 | A combination of group/profile could be defined in an LDAP attribute and extracted on login: |
| | 83 | |
| | 84 | Note : this will work with the multiple profil proposal (http://trac.osgeo.org/geonetwork/wiki/proposals/UserProfileByGroup) |
| | 85 | {{{ |
| | 86 | -- Define a catalog admin: |
| | 87 | listesiteweb=SXT_*_Administrator |
| | 88 | |
| | 89 | -- Define a reviewer for the group GRANULAT |
| | 90 | Listesiteweb=SXT_GRANULAT_Reviewer |
| | 91 | |
| | 92 | -- Define a reviewer for the group GRANULAT and editor for MIMEL |
| | 93 | Listesiteweb=SXT_GRANULAT_Reviewer |
| | 94 | Listesiteweb=SXT_MIMEL_Editor |
| | 95 | |
| | 96 | -- Define a reviewer for the group GRANULAT and editor for MIMEL and RegisteredUser for NATURA2000 |
| | 97 | Listesiteweb=SXT_GRANULAT_Reviewer |
| | 98 | Listesiteweb=SXT_MIMEL_Reviewer |
| | 99 | Listesiteweb=SXT_NATURA2000_RegisterdUser |
| | 100 | |
| | 101 | -- Only a registered user for GRANULAT |
| | 102 | Listesiteweb=SXT_GRANULAT_RegisteredUser |
| | 103 | }}} |
| | 104 | In that case, the configuration for extracting user profils and groups is: |
| | 105 | {{{ |
| | 106 | ldap.privilege.pattern=SXT_(.*)_(.*) |
| | 107 | ldap.privilege.pattern.idx.profil=2 |
| | 108 | ldap.privilege.pattern.idx.group=1 |
| | 109 | }}} |
| | 110 | * Add synchronization task to remove user from local user database when removed from the LDAP |
| | 111 | * Add option to create user LDAP group in local database |
| | 112 | |
| | 113 | |
| | 114 | === Backwards Compatibility Issues === |
| | 115 | |
| | 116 | * Security configuration is made using configuration file (and not user interface) |
| | 117 | * Database changes (migration script provided): |
| | 118 | * User table : add a authtype column |
| | 119 | * Configuration overrides would not work at all and there is not migration for that. |
| | 120 | |
| | 121 | == Risks == |
| | 122 | |
| | 123 | |
| | 124 | == Participants == |
| | 125 | * As above |
