| Version 1 (modified by , 12 years ago) ( diff ) |
|---|
Improved security
| Date | 2012/08/01 |
| Contact(s) | Jesse Eichar, Francois Prunayre |
| Last edited | |
| Status | draft |
| Assigned to release | 2.9.x |
| Resources | Funding Ifremer |
| Code | https://github.com/jesseeichar/core-geonetwork/commits/feature/spring-security |
Overview
This proposal entails the use of Spring Security (http://www.springsource.org/spring-security), a well-known framework that supports the use of one or several security providers. Main goals are:
- SSO configuration (CAS)
- improve LDAP support
- support more than one authentication provider
- ... and keep local user database and shibboleth support.
Proposal Type
- Type: Security
- App: GeoNetwork
- Module:
Links
- Email discussions:
- IRC discussions:
- Related work:
Voting History
- None as yet
Proposal
Right now the user-profiles configuration file is used to control what profiles exist and what profiles can access which services. This proposal moves the security control from user-profiles to spring-security.
Example:
<sec:intercept-url pattern="/srv/.*/group.remove(|!).*" access="hasRole('Administrator')"></sec:intercept-url>
Configuration
A config-security.xml file is added to:
- configure access for GeoNetwork services
- configure authentication provider(s)
LDAP improvements
LDAP support is similar as the current one, creating a local user in GeoNetwork database. The following improvements have been done:
- Support for non anonymous binding
- Support full user property mapping to populate all information for a user (possibility to set default value for all fields)
#ldapUserContextMapper.mapping[USER TABLE COLUMN]=LDAP ATTRIBUTE,DEFAULT VALUE ldapUserContextMapper.mapping[name]=cn, ldapUserContextMapper.mapping[surname]=givenName, ldapUserContextMapper.mapping[mail]=mail,data@myorganization.org ldapUserContextMapper.mapping[organisation]=,myorganization ldapUserContextMapper.mapping[kind]=, ldapUserContextMapper.mapping[address]=, ldapUserContextMapper.mapping[zip]=, ldapUserContextMapper.mapping[state]=, ldapUserContextMapper.mapping[city]=, ldapUserContextMapper.mapping[country]=, ldapUserContextMapper.mapping[privilege]=listesiteweb,sample ldapUserContextMapper.mapping[profile]=,Guest
- Manage user groups and profiles from LDAP information or from local database
- Support to retrieve a list of groups (and not only one) from an attribute or using a pattern
A combination of group/profile could be defined in an LDAP attribute and extracted on login:
Note : this will work with the multiple profil proposal (http://trac.osgeo.org/geonetwork/wiki/proposals/UserProfileByGroup)
-- Define a catalog admin: listesiteweb=SXT_*_Administrator -- Define a reviewer for the group GRANULAT Listesiteweb=SXT_GRANULAT_Reviewer -- Define a reviewer for the group GRANULAT and editor for MIMEL Listesiteweb=SXT_GRANULAT_Reviewer Listesiteweb=SXT_MIMEL_Editor -- Define a reviewer for the group GRANULAT and editor for MIMEL and RegisteredUser for NATURA2000 Listesiteweb=SXT_GRANULAT_Reviewer Listesiteweb=SXT_MIMEL_Reviewer Listesiteweb=SXT_NATURA2000_RegisterdUser -- Only a registered user for GRANULAT Listesiteweb=SXT_GRANULAT_RegisteredUser
In that case, the configuration for extracting user profils and groups is:
ldap.privilege.pattern=SXT_(.*)_(.*) ldap.privilege.pattern.idx.profil=2 ldap.privilege.pattern.idx.group=1
- Add synchronization task to remove user from local user database when removed from the LDAP
- Add option to create user LDAP group in local database
Backwards Compatibility Issues
- Security configuration is made using configuration file (and not user interface)
- Database changes (migration script provided):
- User table : add a authtype column
- Configuration overrides would not work at all and there is not migration for that.
Risks
Participants
- As above
