Hi,
I followed the information on SecurityRules here:
http://docs.neo4j.org/chunked/stable/security-server.htmlWe have Neo4j 1.8.2, running on linux, with our own unmanaged extensions.
Basically, we want to add restrictions on accesses to /webadmin and /db, whilst allowing access to our unmanaged extensions which are all mounted at /app
It looks as if the SecurityRule forUriPath doesnt let me restrict /webadmin and /db in one SecurityRule class. So, I created 2:
- one to match /db*
- one to match /webadmin*
and then defined them in the neo4j-server.properties file:
org.neo4j.server.rest.security_rules=austlit.neo.security.DBSecurityRule,austlit.neo.security.WebadminSecurityRule
The classes look like this:
package austlit.neo.security ;
...boring imports..
public class DBSecurityRule implements SecurityRule {
public static final String REALM = "austlitNeo4j-db" ;
public boolean isAuthorized(HttpServletRequest request) {
System.out.println("DDDDDDDDDD DBSecurityRule isAuthorized req="+request ) ;
return false ;
}
public String forUriPath() {
System.out.println("FFFFFFFFFFFFFF DDDDDDDDDD DBSecurityRule forUriPath") ;
return "/db*" ;
}
public String wwwAuthenticateHeader(){
System.out.println("DDDDDDDDDD DBSecurityRule wwwAuthenticateHeader") ;
return SecurityFilter.basicAuthenticationResponse(REALM) ;
}
}
The webadmin one is the same, but with different constants.
The interesting thing is that both get "initiated":
FFFFFFFFFFFFFF DDDDDDDDDD DBSecurityRule forUriPath
5/16/13 7:19:47 PM org.neo4j.server.modules.SecurityRulesModule INFO: Security rule [austlit.neo.security.DBSecurityRule] installed on server
Security rule [austlit.neo.security.DBSecurityRule] installed on server
FFFFFFFFFFFFFF WWWWWWWWWW WebadminSecurityRule forUriPath webadmin
5/16/13 7:19:47 PM org.neo4j.server.modules.SecurityRulesModule INFO: Security rule [austlit.neo.security.WebadminSecurityRule] installed on server
Security rule [austlit.neo.security.WebadminSecurityRule] installed on server
But only the second one defined ever gets called in the isAuthorized() method.
If I swap the order, I swap which one gets called in isAuthorized()
So, I'm thinking:
- despite the parmeter being a plural ( org.neo4j.server.rest.security_rules=), you really can only use one class here, and it is taking the last defined
- the only way to do what I want is define a single class forUriPath of "*", and look at the request in the isAuthorized() method and differentiate between /app and everything else.
Is there a better way? Have I made a dumb mistake?
Thanks!
Kent Fitch