...
- Apache HttpServer is configured to require all requests to the four DuraCloud web applications (/duradmin, /durastore, /duraservice, and /duraboss) go over https.
Below are the https enforcement rules configured in Apache. The X-Forwarded-Proto header is provided by AWS Elastic Load Balancers.
| Code Block |
|---|
###
# ensure 'duradmin' uses https
###
RewriteCond %{REQUEST_URI} /duradmin
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule !/status https://%{SERVER_NAME}$1 [R=301,L]
###
# try to require https for 'durastore' & 'duraboss' for
# external requests
###
RewriteCond %{REQUEST_URI} ^(/durastore|/duraboss)
RewriteCond %{SERVER_PORT} !^443$
RewriteCond %{SERVER_NAME} !^localhost$
RewriteCond %{SERVER_NAME} !^127.0.0.1$
RewriteCond %{REMOTE_HOST} !^127.0.0.1$
RewriteCond ${local-ip-map:%{REMOTE_HOST}} !^localhost$
RewriteRule ^(.*)$ https://%{SERVER_NAME}$1 [R=301,L]
[L,R] |
Application Security Implementation
...
DuraCloud leverages Spring's mechanism for wiring AuthN/Z into an application across servlet url patterns.
The following access rules are placed across the durastore and duraservice REST-APIs:
| Panel |
|---|
| title | Initialization REST Methods - Common across all applications |
|---|
|
Action | Role |
|---|
Is Initialized | ROLE_ANONYMOUS | Initialize | ROLE_ROOT | Initialize Security Users | ROLE_ROOT |
|
| Panel |
|---|
| title | DuraStore REST Methods |
|---|
|
Action | Role |
|---|
Get Stores | ROLE_USER | Get Spaces | ROLE_ANONYMOUS if space ACL allows public read, else ROLE_USER | Get Space | ROLE_ANONYMOUS if space ACL allows public read, else ROLE_USER | Get Space Properties | ROLE_ANONYMOUS if space ACL allows public read, else ROLE_USER | Get Space ACLs | ROLE_ANONYMOUS if space ACL allows public read, else ROLE_USER | Create Space | ROLE_ADMIN | Set Space Properties | ROLE_USER | Set Space ACLs | ROLE_ADMIN | Delete Space | ROLE_ADMIN | Get Content | ROLE_ANONYMOUS if space ACL allows public read, else ROLE_USER | Get Content Properties | ROLE_ANONYMOUS if space ACL allows public read, else ROLE_USER | Store Content | ROLE_USER | Copy Content | ROLE_USER | Set Content Properties | ROLE_USER | Delete Content | ROLE_USER | Get Tasks | ROLE_ADMIN | Perform Task | ROLE_ADMIN | | Perform Task (restore-content) | ROLE_ROOT |
|
| Panel |
|---|
| title | DuraBoss REST Methods |
|---|
|
Action | Role |
|---|
Get Latest Storage Report | ROLE_ADMIN | Get Storage Report List | ROLE_ADMIN | Get Storage Report | ROLE_ADMIN | Get Storage Report Info | ROLE_ADMIN | Start Storage Report | ROLE_ROOT | Cancel Storage Report | ROLE_ROOT | Schedule Storage Report | ROLE_ROOT | Cancel Storage Report Schedule | ROLE_ROOT |
|
Roles
The fixed set of users/roles listed below are provided in DuraCloud. Each role in the list below represents a super set of the privileges of those above it.
...