= Improved security = || '''Date''' || 2012/08/01 || || '''Contact(s)''' || [http://wiki.osgeo.org/wiki/User:Jeichar Jesse Eichar], Francois Prunayre || || '''Last edited''' || || || '''Status''' || draft || || '''Assigned to release''' || 2.9.x || || '''Resources''' || Funding Ifremer || || '''Code''' || https://github.com/jesseeichar/core-geonetwork/commits/feature/spring-security || == Overview == This proposal entails the use of Spring Security (http://www.springsource.org/spring-security), a well-known framework that supports the use of one or several security providers. Main goals are: * SSO configuration (CAS) * improve LDAP support * support more than one authentication provider * ... and keep local user database and shibboleth support. === Proposal Type === * '''Type''': Security * '''App''': !GeoNetwork * '''Module''': === Links === * '''Email discussions''': * '''IRC discussions''': * '''Related work''': * http://trac.osgeo.org/geonetwork/wiki/proposals/ImprovedSecurityArchitecture * [wiki:Adding CAS authentication support] === Voting History === * None as yet ---- == Proposal == Right now the user-profiles configuration file is used to control what profiles exist and what profiles can access which services. This proposal moves the security control from user-profiles to spring-security. Example: {{{ }}} === Configuration === A config-security.xml file is added to: * configure access for GeoNetwork services * configure authentication provider(s) === LDAP improvements === LDAP support is similar as the current one, creating a local user in GeoNetwork database. The following improvements have been done: * Support for non anonymous binding * Support full user property mapping to populate all information for a user (possibility to set default value for all fields) {{{ #ldapUserContextMapper.mapping[USER TABLE COLUMN]=LDAP ATTRIBUTE,DEFAULT VALUE ldapUserContextMapper.mapping[name]=cn, ldapUserContextMapper.mapping[surname]=givenName, ldapUserContextMapper.mapping[mail]=mail,data@myorganization.org ldapUserContextMapper.mapping[organisation]=,myorganization ldapUserContextMapper.mapping[kind]=, ldapUserContextMapper.mapping[address]=, ldapUserContextMapper.mapping[zip]=, ldapUserContextMapper.mapping[state]=, ldapUserContextMapper.mapping[city]=, ldapUserContextMapper.mapping[country]=, ldapUserContextMapper.mapping[privilege]=listesiteweb,sample ldapUserContextMapper.mapping[profile]=,Guest }}} * Manage user groups and profiles from LDAP information or from local database * Support to retrieve a list of groups (and not only one) from an attribute or using a pattern A combination of group/profile could be defined in an LDAP attribute and extracted on login: Note : this will work with the multiple profil proposal (http://trac.osgeo.org/geonetwork/wiki/proposals/UserProfileByGroup) {{{ -- Define a catalog admin: listesiteweb=SXT_*_Administrator -- Define a reviewer for the group GRANULAT Listesiteweb=SXT_GRANULAT_Reviewer -- Define a reviewer for the group GRANULAT and editor for MIMEL Listesiteweb=SXT_GRANULAT_Reviewer Listesiteweb=SXT_MIMEL_Editor -- Define a reviewer for the group GRANULAT and editor for MIMEL and RegisteredUser for NATURA2000 Listesiteweb=SXT_GRANULAT_Reviewer Listesiteweb=SXT_MIMEL_Reviewer Listesiteweb=SXT_NATURA2000_RegisterdUser -- Only a registered user for GRANULAT Listesiteweb=SXT_GRANULAT_RegisteredUser }}} In that case, the configuration for extracting user profils and groups is: {{{ ldap.privilege.pattern=SXT_(.*)_(.*) ldap.privilege.pattern.idx.profil=2 ldap.privilege.pattern.idx.group=1 }}} * Add synchronization task to remove user from local user database when removed from the LDAP * Add option to create user LDAP group in local database === Backwards Compatibility Issues === * Security configuration is made using configuration file (and not user interface) * Database changes (migration script provided): * User table : add a authtype column * Configuration overrides would not work at all and there is not migration for that. == Risks == == Participants == * As above