pki-bot
commented
4 years ago Comment from edewata (@edewata) at 2017-02-27 14:01:03
Metadata Update from @edewata:
- Issue assigned to jmagne
- Issue set to the milestone: UNTRIAGED
Open pki-bot opened 4 years ago
pki-bot
commented
4 years ago Comment from edewata (@edewata) at 2017-02-27 14:01:03
Metadata Update from @edewata:
This issue was migrated from Pagure Issue #258. Originally filed by edewata (@edewata) on 2012-07-23 23:23:56:
The current implementation doesn't use a standard way to define the security realm and access control. The realm uses a custom code that reads the access control list defined in acl.ldif and auth.properties.
J2EE provides a more standard way to define access control using roles.
http://docs.oracle.com/javaee/6/tutorial/doc/bnbxj.html#bnbxk
Ideally the application should define a set of roles which contain users/groups. The roles are used to grant the users/groups access to certain resources in the application. The set of roles will be fixed in the application, but the user/group-to-role mapping will be stored in LDAP. This way the mapping can be dynamically managed without changing the application.
For example, the "Certificate Request Approver" role allows users/groups to approve/reject certificate requests. In web.xml the security constraint will be defined as follows:
In the LDAP server there will be separate subtrees for users, groups, and roles. There will be a corresponding LDAP entry for the "Certificate Request Approver" role above. The entry may have members such as "Certificate Manager Agents" group or "admin" user.
It should be possible now to use a standard JNDI realm which uses the roles instead of groups, assuming the LDAP server can resolve indirect membership.