Geonetwork API security

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Geonetwork API security

pctan
HI,

A few questions about the Geonetwork APIs security.


  1.  Are the actions (CRUD) only permitted to authorised users ? Who are the authorised users?



[cid:image003.jpg@01D43689.4686B600]



  1.  The ‘Authorise ‘ function in the picture  – how does it work?



  1.  What does it mean when there is a lock against an action?
  2.  The ‘Try it out” against each action – It’s not an actual updates or delete , is it?


Thanks in advance.


Peck
-----------------------------------------------------------------------------------------------------
Peck Choo Tan I Analyst Programmer
GNS Science I Te Pῡ Ao
1 Fairway Drive, Avalon 5010, PO Box 30368, Lower Hutt 5040, New Zealand
Ph 04 570 4739 I Mob 021 2178684
http://www.gns.cri.nz/ | Email: [hidden email]


Notice: This email and any attachments are confidential and may not be used, published or redistributed without the prior written consent of the Institute of Geological and Nuclear Sciences Limited (GNS Science). If received in error please destroy and immediately notify GNS Science. Do not copy or disclose the contents.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
GeoNetwork-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/geonetwork-users
GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork

image003.jpg (29K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Geonetwork API security

Jose Garcia
Hi Peck

Authorisations for services are defined in
https://github.com/geonetwork/core-geonetwork/blob/3.4.x/web/src/main/webapp/WEB-INF/config-security/config-security-mapping.xml,
this file has permissions mostly for the legacy services that are using
Jeeves framework (not yet migrated to the new API that uses Spring MVC)

For the new API, authorisations are defined in the Java methods for each
end-point using @PreAuthorize annotation, like:

https://github.com/geonetwork/core-geonetwork/blob/3.4.x/services/src/main/java/org/fao/geonet/api/categories/TagsApi.java#L94

If no annotation in an end-point in the new API , the endpoint is public.

Regards,
Jose García


On Fri, Aug 17, 2018 at 2:20 PM, Peck-Choo Tan <[hidden email]> wrote:

> HI,
>
> A few questions about the Geonetwork APIs security.
>
>
>   1.  Are the actions (CRUD) only permitted to authorised users ? Who are
> the authorised users?
>
>
>
> [cid:image003.jpg@01D43689.4686B600]
>
>
>
>   1.  The ‘Authorise ‘ function in the picture  – how does it work?
>
>
>
>   1.  What does it mean when there is a lock against an action?
>   2.  The ‘Try it out” against each action – It’s not an actual updates or
> delete , is it?
>
>
> Thanks in advance.
>
>
> Peck
> ------------------------------------------------------------
> -----------------------------------------
> Peck Choo Tan I Analyst Programmer
> GNS Science I Te Pῡ Ao
> 1 Fairway Drive, Avalon 5010, PO Box 30368, Lower Hutt 5040, New Zealand
> Ph 04 570 4739 I Mob 021 2178684
> http://www.gns.cri.nz/ | Email: [hidden email]
>
>
> Notice: This email and any attachments are confidential and may not be
> used, published or redistributed without the prior written consent of the
> Institute of Geological and Nuclear Sciences Limited (GNS Science). If
> received in error please destroy and immediately notify GNS Science. Do not
> copy or disclose the contents.
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> GeoNetwork-users mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/geonetwork-users
> GeoNetwork OpenSource is maintained at http://sourceforge.net/
> projects/geonetwork
>
>


--













*Vriendelijke groeten / Kind regards,Jose García
<http://www.geocat.net/>Veenderweg 136721 WD BennekomThe NetherlandsT: +31
(0)318 416664 <+31318416664> <https://www.facebook.com/geocatbv>
<https://twitter.com/geocat_bv>
<https://plus.google.com/u/1/+GeocatNetbv/posts>Please consider the
environment before printing this email.*
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
GeoNetwork-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/geonetwork-users
GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork