How to create a read-only user for NEO4J 2.2 - neo4j

Now I want to create a read-only user who can login the web browser and webadmin without the permission to modify the graph.
I know there is read-only mode , but this will get the instance read-only, not very convenient for my bussiness requirement.
My question is :
1,if there is a configuration to add a read-only user, how can I do this? I didn`t find this in documentation.
2,If there is not, I would like to create a customized configuration for this, and where should I find the file store user,passowrd or authorization token?
Could you give some suggestions? Any answer is appriciated!

The new user authorization feature doesn't provide roles or different access levels. At the moment it's "all or nothing". Upcoming versions of Neo4j will most likely have some role based concept aboard.
In the meantime you can implement SecurityRules on your own. SecurityRules are acting like servlet filter and allow vetoing the execution of a certain incoming http request.

Related

Shiro and client certs

For my JSF/TomEE application, I have a NoSQL database with users and roles that specifies how users can access resources (basically, IDs in a url parameter) either read-only or write.
I want to implement security and this post gave me some ideas but I am keen to try a 3rd party library - probably Shiro or PicketLink. The rule is that users will authenticate themselves with a client certificate, and if that is not provided, they will be authenticated as a default guest user.
Surprisingly, I am having a bit of trouble finding some information on how to do this in Shiro, it doesn't look straight forward. It is a bit of a surprise to me that there is nothing "out of the box" in Shiro to implement client certificate authentication.
So I think I have to create a Realm to "connect" Shiro with my database. Then I read I might need to extend org.apache.shiro.authc.UsernamePasswordToken to read the certificate and pass it to Shiro. Then I suppose I have to restrict access to content in JSF xhtml pages (using the rendered attribute for example) and I suppose that even in all methods of the Named Managed beans I will need to check the permissions.
Also, It is not clear to me how I can assign the guest user when a certificate is not provided, since apparently it is TomEE the one who validates the client, so if no certificate is provided, my code will not get executed to assign the guest user. I could open two different ports in TomEE, but then the access will not be unified, since I want to treat the guest user uniformely, as any other user in the system. How can this be done?
Is this implemented in a easier way in PicketLink? (which is also better prepared for JSF)
OK, it took me a while and a lot of research, so I will summarise my findings dramatically. I documented everything but do not want to create a book chapter.
So I decided to go with Shiro, and everything I describe works and can be done. This X509certificate project for Shiro was quite useful. Basically, you need to implement a Realm overriding two methods (one for authentication and another for authorisation) - there is a class to extend in the code I mentioned before.
The distiction of a user not providing a cert can be done in the Shiro Filter, so when no token (certificate) is provided, one can be created on the fly or read from a keystore.
For restricting access in JSF there are some shiro tags that can help, no need to use rendered. I have checked permissions also in the beans or other classes accessing the database. This works once the permissions have been established in the authorisation method.
The issue with Tomcat can be solved by using <Connector port="..." ClientAuth="want" ... which will ask for a certificate but will not stop the user if no certificate is provided.

XPages Social Business Toolkit

I am trying to implement XPagesSBT on localhost.
I have followed this article http://heidloff.net/home.nsf/dx/12152011034545AMNHECAP.htm and the SBT document by Niklas and was trying to implement dropbox oAuth.
I have also placed http://localhost/XPagesSBT.nsf/ and http://localhost/WebSecurityStore.nsf in root folder
but still i get this error
Error while executing JavaScript action expression
Script interpreter error, line=1, col=26: Error calling method 'isAuthenticated()' on java class 'com.ibm.xsp.extlib.sbt.services.client.endpoints.DropboxEndpoint'
No application is registered with id XPagesSBT and provider Dropbox
if(!#Endpoint("dropbox").isAuthenticated()) {#Endpoint("dropbox").authenticate(true);}
do i need to make any other configuration /setup to XPagesSBT db? or it wont work with Localhost?
I don't remember exactly anymore but reading my blog entry you linked it says you shouldn't use Anonymous:
"Additionally there are a couple of security related settings which are important to understand. First of all you need to assign access to the document with the application keys to the ID with which you signed the two NSFs. In the screenshot above I've entered both OpenNTF servers and my own user ID. When you use the web UI to do this these names are added to the document in an authors field and a readers field.
In the last step you need to configure the ACL of the security store. Anonymous must not have access to this database. All users who you want to be able to use the Social Enabler OAuth functionality need to have author access. This is so that their user keys can be stored in this database so that they only have to do the OAuth dance once. "
It should work on localhost. It looks like a configuration issue with SBT not being able to read the security tokens from the websecuritystore.nsf . Did you create the Dropbox Application Key with an admin id and sign the websecuritystore with the correct id?
Padraic

Using a Custom Single Sign On Authentication Service with Spring Security Core Plugin

I'm working on a Grails application and want to integrate with a custom single-sign-on service (not CAS, but similar). I'm struggling to find all the pieces that I need to customize to make this happen. Can someone explain to me a general outline as to what I need to use to accomplish this? I've read the documentation on the plugin, but it assumes I know which beans to override and where to put all the needed files.
I've block-quoted what I think needs to be done based on my research below each point.
Order of Operations
1- The user requests secure content (everything is secure in the application for now)
I believe this setting is in the Config.groovy file:
grails.plugins.springsecurity.rejectIfNoRule = true
grails.plugins.springsecurity.securityConfigType = "InterceptUrlMap"
grails.plugins.springsecurity.interceptUrlMap = [
'/**':['ROLE_ADMIN']
]
2- Spring Security checks to see if the user has a specific value set in a cookie provided by the authentication service
I'm guessing I need to create an authentication filter, but I don't know where to put it or what it should look like.
If they don't, the user is redirected to this custom SSO service, they login, once authenticated, the user is redirected back to my application (with a new cookie set)
3- Spring security checks for the cookie value and validates it against the custom service (via HTTP POST)
From some research, I think that I need to use PreAuthenticatedProcessingFilter, but I haven't been able to find any examples of how to do this.
4- The custom service returns a series of name/value pairs, a user then needs to be created in the local application database (or the timestamp of "lastLoggedIn" is updated if they user's data is already in the database)
I believe this is done in the same PreAuthenticatedProcessingFilter as number 3 or in a GrailsUserDetailsService
5- The user's authentication is cached in the session for a period of time (6-8 hours) so that re-validation against the SSO service doesn't need to occur every time the user requests a new resource.
I'm not sure if this is something that's done inherently or if I need to add code to do this (and also set the session timeout)

How to restrict the allowable permission-set for the OAuth 'scope' parameter (restricting scope)

I want to use Facebook as an authentication source for my application (a website) users. I do not want my application to have anything but basic and email permissions. Thus, my application must not be able to publish to a user's wall for example. In other words, I want to restrict the allowable set of values for the scope parameter and I want this restriction to occur on the application's configuration pages (on the Facebook site itself).
Normally this would be easy, just specify 'email' for the scope parameter of the OAuth URL/call.
However in this case there is another factor and this is: a hacker may gain access to the app and change the OAuth call to specify more permissions. Then an unsuspecting user will typically (or at least possibly) grant those permissions and the hacker will be able to grab the OAuth token and perform actions on behalf of that user.
I'm not interested in discussing the whys of this issue, just in finding of there is a way to specify that my application can only use a specific set of values for the scope parameter. Ideally this specification of the scope restriction be done in the application configuration page on Facebook itself.
However, I am interested in alternate solutions that involve using SAML, OpenID or some other authentication only mechanism (even if I cannot get the users email address). I'm not interested in using RPX.
Please note: this is a complex question not a simple one. I have searched far and wide for an answer and have just found what amounts to the opposite of this question.
I'm pretty sure it's not possible to restrict the scope at application configuration level.
I'd say the tidiest workaround would be to query the permissions of a user on signup, check that they match the allowed permissions, and subscribe to the (permissions realtime updates)[http://developers.facebook.com/docs/reference/api/realtime/]. Your app will be notified of any changes in permissions granted to users.
This should allow you to block any server side API calls through application logic, or (ban)[https://developers.facebook.com/docs/reference/api/application/#banned] a user which escalates permissions.

implement acl on field in spring security

I would like implement spring acl for my object fields.
does anyone has an idea what do i have to implment for it?
for example, i have Purchase object.
i would like admin_role to have read on all the fields, and secretary_role to have read only on username and address field
Can you clarify at what point you need the security?
If this is part of a webapp, I frequently use stripes security interceptors in combination with spring to control access to what the user sees based on role.
If it's not part of a webapp and you're looking to control what a user can change there's a number of methods available from custom annotations to database control. I've found the project itself usually dictates which path I should follow.
extend org.springframework.security.acls.domain.BasePermission and introduce your own Permission flag (up to 32 bits are supported)

Resources