[midPoint-git] [Evolveum/midpoint] da667e: Make REST authorizations finer-grained

mederly noreply at github.com
Tue Feb 13 19:52:16 CET 2024 

  Branch: refs/heads/tmp/detailed-rest-autz
  Home:   https://github.com/Evolveum/midpoint
  Commit: da667ef7debff76ef5e496913b85634ec2ec0650
      https://github.com/Evolveum/midpoint/commit/da667ef7debff76ef5e496913b85634ec2ec0650
  Author: Pavol Mederly <mederly at evolveum.com>
  Date:   2024-02-13 (Tue, 13 Feb 2024)

  Changed paths:
    M model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/util/EndPointsUrlMapping.java
    M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/SecurityHelper.java
    M model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/AbstractRestController.java
    M model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/ClusterRestController.java
    M model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/ExtensionSchemaRestController.java
    M model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/ModelRestController.java
    M repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/DummyAuditService.java
    A repo/security-api/src/main/java/com/evolveum/midpoint/security/api/RestMethod.java
    M repo/security-enforcer-api/src/main/java/com/evolveum/midpoint/security/enforcer/api/SecurityEnforcer.java
    M testing/rest/src/test/java/com/evolveum/midpoint/testing/rest/AbstractRestServiceInitializer.java
    M testing/rest/src/test/java/com/evolveum/midpoint/testing/rest/RestServiceInitializer.java
    M testing/rest/src/test/java/com/evolveum/midpoint/testing/rest/TestAbstractRestService.java
    A testing/rest/src/test/resources/repo/role-rest-limited.xml
    A testing/rest/src/test/resources/repo/user-rest-limited.xml

  Log Message:
  -----------
  Make REST authorizations finer-grained

While "rest-3#all" authorization still exists, it is no longer
required to use it when only a subset of REST methods is to be
accessed by particular client. Each method has now its own
authorization.

Related change: Due to the current authentication architecture
in midPoint, these authorizations are checked in the respective
methods' bodies. So, if an unauthorized method is called, the
"login success" is audited, but the operation immediately fails.
The failure is recorded in the termination (logout) event. And
this is the change: the logout event now contains the real status
of the whole operation. (Previously, it was always SUCCESS.)

More information about the midPoint-svn mailing list