implementing multiple SecurityRules

36 views
Skip to first unread message

KentFitch

unread,
May 16, 2013, 5:34:46 AM5/16/13
to ne...@googlegroups.com
Hi,

I followed the information on SecurityRules here: http://docs.neo4j.org/chunked/stable/security-server.html

We have Neo4j 1.8.2, running on linux, with our own unmanaged extensions.

Basically, we want to add restrictions on accesses to /webadmin and /db, whilst allowing access to our unmanaged extensions which are all mounted at /app

It looks as if the SecurityRule forUriPath doesnt let me restrict /webadmin and /db in one SecurityRule class.  So, I created 2:
- one to match /db*
- one to match /webadmin*

and then defined them in the neo4j-server.properties file:

org.neo4j.server.rest.security_rules=austlit.neo.security.DBSecurityRule,austlit.neo.security.WebadminSecurityRule

The classes look like this:

package austlit.neo.security ;
...boring imports..
public class DBSecurityRule implements SecurityRule {
 
    public static final String REALM = "austlitNeo4j-db" ;
 

    public boolean isAuthorized(HttpServletRequest request) {

        System.out.println("DDDDDDDDDD DBSecurityRule isAuthorized req="+request ) ;
        return false ;
    }
 
    public String forUriPath() {

        System.out.println("FFFFFFFFFFFFFF DDDDDDDDDD DBSecurityRule forUriPath") ;
        return "/db*" ;
    }
 
    public String wwwAuthenticateHeader(){

        System.out.println("DDDDDDDDDD DBSecurityRule wwwAuthenticateHeader") ;
        return SecurityFilter.basicAuthenticationResponse(REALM) ;
    }
}

The webadmin one is the same, but with different constants.

The interesting thing is that both get "initiated":

FFFFFFFFFFFFFF DDDDDDDDDD DBSecurityRule forUriPath
5/16/13 7:19:47 PM org.neo4j.server.modules.SecurityRulesModule INFO: Security rule [austlit.neo.security.DBSecurityRule] installed on server
Security rule [austlit.neo.security.DBSecurityRule] installed on server
FFFFFFFFFFFFFF WWWWWWWWWW WebadminSecurityRule forUriPath webadmin
5/16/13 7:19:47 PM org.neo4j.server.modules.SecurityRulesModule INFO: Security rule [austlit.neo.security.WebadminSecurityRule] installed on server
Security rule [austlit.neo.security.WebadminSecurityRule] installed on server

But only the second one defined ever gets called in the isAuthorized() method. 

If I swap the order, I swap which one gets called in isAuthorized()


So, I'm thinking:

- despite the parmeter being a plural ( org.neo4j.server.rest.security_rules=), you really can only use one class here, and it is taking the last defined

- the only way to do what I want is define a single class forUriPath of "*", and look at the request in the isAuthorized() method and differentiate between /app and everything else.

Is there a better way?  Have I made a dumb mistake?

Thanks!

Kent Fitch

Jim Webber

unread,
May 16, 2013, 9:28:59 PM5/16/13
to ne...@googlegroups.com
Hi Kent,

I think I can reproduce this behaviour by changing the order of the security rules in SecurityRulesDocIT.should401WithBasicChallengeIfAnyOneOfTheRulesFails()

I'm about to board a plane now, but I'll try to fix the problem in the 2.0 branch.

Jim
> --
> You received this message because you are subscribed to the Google Groups "Neo4j" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to neo4j+un...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>

KentFitch

unread,
May 17, 2013, 1:06:23 AM5/17/13
to ne...@googlegroups.com
Thanks Jim - in the meantime, we'll work around

Kent

Jim Webber

unread,
May 21, 2013, 6:47:34 PM5/21/13
to ne...@googlegroups.com
Hi Kent,

I've just pushed some code that I think addresses your report - essentially I took the responsibility for the chain of filters away from the underlying Web server and brought it into the Neo4j server code where it's easier to reason about.

Take a look at this commit for the details: https://github.com/neo4j/neo4j/commit/c5515c13b9b15e4e2ba14a91d0ba8d8266576063

The binaries should be making their way into the maven ecosystem shortly as the build system chugs along. If you could give it a whirl with your application and see that it works, that'd be much appreciated.

Jim
Reply all
Reply to author
Forward
0 new messages