Uploaded image for project: 'Opencast'
  1. MH-11970

Springsecurity filter should be applied after switching user for external API

    Details

    • Type: Task
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects versions: 2.3.0
    • Fix versions: 4.6
    • Components: External API

      Description

      The opencast documentation recommend to create a user with a ROLE_SUDO (for each app) to call the external API. The API calls should be done as a regular user. This should guarantee the result of the requested ressource is what the user is allowed to see. This behavior can be achieved by changing the user with X-RUN-AS-USER or X-RUN-WITH-ROLES http-headers.
      The current implementation is broken in that fact, because the user switching is done after the spring-security filter chain is applied to each http-request. So opencast check the security on the application user (with ROLE_SUDO) and not the calling user (ie. with some ROLE_API_*_VIEW roles).

      Steps to reproduce:
      1. create an external user with role ROLE_SUDO
      2. create an apiuser with ROLE_API and some optional ROLE_API_EVENTS_VIEW
      3. login as external user
      4. call http://localhost:8080/api/info/me and check the response is 403, because external user does not have ROLE_API
      5. call http://localhost:8080/api/info/me with "X-RUN-AS-USER: apiuser" header

      Here we expect a json document with user info but the response is 403 too.

        TestRail: Results

          Attachments

            Activity

              People

              • Assignee:
                Waldemar Smirnow (Inactive)
                Reporter:
                Waldemar Smirnow (Inactive)
              • Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:

                  TestRail: Cases

                    TestRail: Runs