Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Modeling » EMF » [CDO] Set up security manager
[CDO] Set up security manager [message #1004469] Wed, 23 January 2013 09:59 Go to next message
Pierre Gaufillet is currently offline Pierre Gaufillet
Messages: 30
Registered: July 2009
Member
Hi!

I am currently setting up a mock up based on CDO to demonstrate the capabilities of this great framework, and I am facing issues with the security manager. Using CDO explorer, I have created a /security resource with the following content :

/Realm (Default Access: READ)
|_User (ID: user01)

Then configured the server with: <securityManager type="default" realmPath="/security"/>

It seems to start smoothly, but I am unable to log into the repository.
Beyond this specific problem, I have a 2 related questions:

- How to set up a password for users? It seems impossible through the tree editor. Does it need to be done using the API?

- How to specify the EPackages for which you want to define permissions? When I add a Package Permission to Role, I don't see the registered EPackages in the list.

Thanks for your help!

Pierre
Re: [CDO] Set up security manager [message #1004478 is a reply to message #1004469] Wed, 23 January 2013 10:21 Go to previous messageGo to next message
Eike Stepper is currently offline Eike Stepper
Messages: 5527
Registered: July 2009
Senior Member
Am 23.01.2013 10:59, schrieb Pierre Gaufillet:
> Hi!
>
> I am currently setting up a mock up based on CDO to demonstrate the capabilities of this great framework, and I am
> facing issues with the security manager. Using CDO explorer, I have created a /security resource with the following
> content :
>
> /Realm (Default Access: READ)
> |_User (ID: user01)
I think it should be possible to create an initial realm manually but it's proobably easier and maybe safer to let the
security manager do this in SecurityManager.createRealm().

> Then configured the server with: <securityManager type="default" realmPath="/security"/>
>
> It seems to start smoothly, but I am unable to log into the repository.
Because of what problem? What happens?

> Beyond this specific problem, I have a 2 related questions:
>
> - How to set up a password for users? It seems impossible through the tree editor. Does it need to be done using the API?
There's User.setPassword(UserPassword), which is the setter of a *containment reference* . It should be available in the
UI, too.

And there's SecurityManager.addUser(String, String):

public User addUser(final String id, final String password)
{
final User[] result = { null };
modify(new RealmOperation()
{
public void execute(Realm realm)
{
UserPassword userPassword = SecurityFactory.eINSTANCE.createUserPassword();
userPassword.setEncrypted(new String(password));

result[0] = realm.addUser(id);
result[0].setPassword(userPassword);
}
});

return result[0];
}

>
> - How to specify the EPackages for which you want to define permissions? When I add a Package Permission to Role, I
> don't see the registered EPackages in the list.
Good point! I think it's just an issue of the editor to fill the list properly. I wonder if we can mofidy the edit layer
of the security model. Can you please submit a respective enhancement request?

Cheers
/Eike

----
http://www.esc-net.de
http://thegordian.blogspot.com
http://twitter.com/eikestepper
Re: [CDO] Set up security manager [message #1004649 is a reply to message #1004478] Wed, 23 January 2013 15:37 Go to previous messageGo to next message
Pierre Gaufillet is currently offline Pierre Gaufillet
Messages: 30
Registered: July 2009
Member
Thanks for your reply, Eike Smile

Following you suggestion, I regenerated the realm using the initialization code of SecurityManager. I still cannot log into the repository (even with Administrator/0000), but it seems now that it is because Juno SR1 release doesn't include your patched version of SecurityManager.modify(RealmOperation). Time to switch to git master branch...

I also submitted an enhancement request about PackagePermission.applicablePackage: Bug #398885

By the way: is it ok if I add a short tutorial for setting up the securityManager on the wiki?
Re: [CDO] Set up security manager [message #1005003 is a reply to message #1004649] Thu, 24 January 2013 09:46 Go to previous messageGo to next message
Pierre Gaufillet is currently offline Pierre Gaufillet
Messages: 30
Registered: July 2009
Member
Hi!

I am facing an error when trying to switch to CDO framework from git master branch.
On Linux x86_64, my target platform is based on Eclipse 4.3M4 and includes EMF SDK, EMF Compare and Net4j DB framework Derby adapter (to get access to org.apache.derby).
The dependencies seems to be ok (something goes wrong in o.e.e.cdo.workspace.efs because I don't have org.h2 and org.h2.jdbcx installed, but I guess this is not used on the server side), nevertheless the CDO server crashes at starting with error:

[ERROR] java.sql.SQLSyntaxErrorException: Table/View 'CDO_PROPERTIES' does not exist.

It happens systematically, even if the database doesn't exist and is to be initialized by the server. Any idea?
Re: [CDO] Set up security manager [message #1005357 is a reply to message #1004649] Fri, 25 January 2013 04:41 Go to previous messageGo to next message
Eike Stepper is currently offline Eike Stepper
Messages: 5527
Registered: July 2009
Senior Member
Am 23.01.2013 16:37, schrieb Pierre Gaufillet:
> Thanks for your reply, Eike :)
>
> Following you suggestion, I regenerated the realm using the initialization code of SecurityManager. I still cannot log
> into the repository (even with Administrator/0000), but it seems now that it is because Juno SR1 release doesn't
> include your patched version of SecurityManager.modify(RealmOperation). Time to switch to git master branch...
Can you confirm that your problem is fixed there? If not, what is the exact effect of your problem?

> I also submitted an enhancement request about PackagePermission.applicablePackage:
> https://bugs.eclipse.org/bugs/show_bug.cgi?id=398885
Thx!

> By the way: is it ok if I add a short tutorial for setting up the securityManager on the wiki?
No, it's highly appreciated :P

Cheers
/Eike

----
http://www.esc-net.de
http://thegordian.blogspot.com
http://twitter.com/eikestepper
Re: [CDO] Set up security manager [message #1005359 is a reply to message #1005003] Fri, 25 January 2013 04:51 Go to previous messageGo to next message
Eike Stepper is currently offline Eike Stepper
Messages: 5527
Registered: July 2009
Senior Member
Am 24.01.2013 10:46, schrieb Pierre Gaufillet:
> Hi!
>
> I am facing an error when trying to switch to CDO framework from git master branch.
> On Linux x86_64, my target platform is based on Eclipse 4.3M4 and includes EMF SDK, EMF Compare and Net4j DB framework
If CDO comes from integration, i.e. a not-released version, then Net4j should be from the exact same origin. Better:
ensure that in general.

> Derby adapter (to get access to org.apache.derby).
You know that Derby is usually very slow compared to H2? That may be because of its stringent transactionality.

> The dependencies seems to be ok (something goes wrong in o.e.e.cdo.workspace.efs because I don't have org.h2 and
> org.h2.jdbcx installed, but I guess this is not used on the server side),
No.

> nevertheless the CDO server crashes at starting with error:
>
> [ERROR] java.sql.SQLSyntaxErrorException: Table/View 'CDO_PROPERTIES' does not exist.
>
> It happens systematically, even if the database doesn't exist and is to be initialized by the server. Any idea?
That reminds me to the PostgreSQL related bug https://bugs.eclipse.org/bugs/show_bug.cgi?id=394213, which ought to be fixed.

Can you please try with H2 and see if the same problem occurs?

Cheers
/Eike

----
http://www.esc-net.de
http://thegordian.blogspot.com
http://twitter.com/eikestepper
Re: [CDO] Set up security manager [message #1005370 is a reply to message #1004649] Fri, 25 January 2013 07:15 Go to previous messageGo to next message
Eike Stepper is currently offline Eike Stepper
Messages: 5527
Registered: July 2009
Senior Member
Hi Pierre,

While playing with the security manager I noticed a few issues, deadlocks during openSession() being among them. I'll
investigate further an report here...

Cheers
/Eike

----
http://www.esc-net.de
http://thegordian.blogspot.com
http://twitter.com/eikestepper


Am 23.01.2013 16:37, schrieb Pierre Gaufillet:
> Thanks for your reply, Eike :)
>
> Following you suggestion, I regenerated the realm using the initialization code of SecurityManager. I still cannot log
> into the repository (even with Administrator/0000), but it seems now that it is because Juno SR1 release doesn't
> include your patched version of SecurityManager.modify(RealmOperation). Time to switch to git master branch...
>
> I also submitted an enhancement request about PackagePermission.applicablePackage:
> https://bugs.eclipse.org/bugs/show_bug.cgi?id=398885
>
> By the way: is it ok if I add a short tutorial for setting up the securityManager on the wiki?
Re: [CDO] Set up security manager [message #1005466 is a reply to message #1005359] Fri, 25 January 2013 14:47 Go to previous messageGo to next message
Pierre Gaufillet is currently offline Pierre Gaufillet
Messages: 30
Registered: July 2009
Member
[quote title=Eike Stepper wrote on Thu, 24 January 2013 23:51]Am 24.01.2013 10:46, schrieb Pierre Gaufillet:
> You know that Derby is usually very slow compared to H2? That may be because of its stringent transactionality.

No, I am far from being a DB expert :-/
I have just chosen to use Derby because it was the default choice in exemplary cdo-server.xml. I just need a db with an easy set up for now.

> > nevertheless the CDO server crashes at starting with error:
> >
> > [ERROR] java.sql.SQLSyntaxErrorException: Table/View 'CDO_PROPERTIES' does not exist.
> >
> > It happens systematically, even if the database doesn't exist and is to be initialized by the server. Any idea?
> That reminds me to the PostgreSQL related bug https://bugs.eclipse.org/bugs/show_bug.cgi?id=394213, which ought to be fixed.
>
> Can you please try with H2 and see if the same problem occurs?

You are right: it works correctly with H2. The overall CDO edition seems also far more stable. I am not anymore facing random exceptions when something goes wrong in the editor.
Re: [CDO] Set up security manager [message #1005468 is a reply to message #1004478] Fri, 25 January 2013 14:57 Go to previous messageGo to next message
Pierre Gaufillet is currently offline Pierre Gaufillet
Messages: 30
Registered: July 2009
Member
[quote title=Eike Stepper wrote on Wed, 23 January 2013 05:21]Am 23.01.2013 10:59, schrieb Pierre Gaufillet:
> > - How to set up a password for users? It seems impossible through the tree editor. > > Does it need to be done using the API?
> There's User.setPassword(UserPassword), which is the setter of a *containment reference* . It should be available in the
UI, too.

In fact, I still don't see a mean to change password in the UI Sad
right-clic on a user/new child give only a grayed "Password" item and Annotation.
Re: [CDO] Set up security manager [message #1005481 is a reply to message #1005468] Fri, 25 January 2013 15:53 Go to previous messageGo to next message
Eike Stepper is currently offline Eike Stepper
Messages: 5527
Registered: July 2009
Senior Member
Am 25.01.2013 15:57, schrieb Pierre Gaufillet:
> [quote title=Eike Stepper wrote on Wed, 23 January 2013 05:21]Am 23.01.2013 10:59, schrieb Pierre Gaufillet:
>> > - How to set up a password for users? It seems impossible through the tree editor. > > Does it need to be done using the API?
>> There's User.setPassword(UserPassword), which is the setter of a *containment reference* . It should be available in the
> UI, too.
>
> In fact, I still don't see a mean to change password in the UI :(
> right-clic on a user/new child give only a grayed "Password" item and Annotation.
Ah, I remember now: I didn't do anything yet concerning the password management. I expected that these are set through
server API. It seems like a missing functionality, which is probably not too easy to design and implement such that it's
secure. Any thoughts on how this should appear to users/admins?

Cheers
/Eike

----
http://www.esc-net.de
http://thegordian.blogspot.com
http://twitter.com/eikestepper

?
Re: [CDO] Set up security manager [message #1005482 is a reply to message #1005466] Fri, 25 January 2013 15:54 Go to previous messageGo to next message
Eike Stepper is currently offline Eike Stepper
Messages: 5527
Registered: July 2009
Senior Member
Am 25.01.2013 15:47, schrieb Pierre Gaufillet:
> [quote title=Eike Stepper wrote on Thu, 24 January 2013 23:51]Am 24.01.2013 10:46, schrieb Pierre Gaufillet:
>> You know that Derby is usually very slow compared to H2? That may be because of its stringent transactionality.
>
> No, I am far from being a DB expert :-/
> I have just chosen to use Derby because it was the default choice in exemplary cdo-server.xml. I just need a db with
> an easy set up for now.
Oops, how old is your cdo-server.xml?

We changed the default to H2, hmm, 3 or 4 years ago, IIRC...

>
>> > nevertheless the CDO server crashes at starting with error:
>> >
>> > [ERROR] java.sql.SQLSyntaxErrorException: Table/View 'CDO_PROPERTIES' does not exist.
>> >
>> > It happens systematically, even if the database doesn't exist and is to be initialized by the server. Any idea?
>> That reminds me to the PostgreSQL related bug https://bugs.eclipse.org/bugs/show_bug.cgi?id=394213, which ought to be
>> fixed.
>>
>> Can you please try with H2 and see if the same problem occurs?
>
> You are right: it works correctly with H2. The overall CDO edition seems also far more stable. I am not anymore facing
> random exceptions when something goes wrong in the editor.
Excellent ;-)

Cheers
/Eike

----
http://www.esc-net.de
http://thegordian.blogspot.com
http://twitter.com/eikestepper
Re: [CDO] Set up security manager [message #1005722 is a reply to message #1005482] Mon, 28 January 2013 12:01 Go to previous messageGo to next message
Pierre Gaufillet is currently offline Pierre Gaufillet
Messages: 30
Registered: July 2009
Member
[quote title=Eike Stepper wrote on Fri, 25 January 2013 10:54]Am 25.01.2013 15:47, schrieb Pierre Gaufillet:
> > [quote title=Eike Stepper wrote on Thu, 24 January 2013 23:51]Am 24.01.2013 10:46, schrieb Pierre Gaufillet:
> >> You know that Derby is usually very slow compared to H2? That may be because of its stringent transactionality.
> >
> > No, I am far from being a DB expert :-/
> I have just chosen to use Derby because it was the default choice in exemplary cdo-server.xml. I just need a db with
> > an easy set up for now.
> Oops, how old is your cdo-server.xml?
>
> We changed the default to H2, hmm, 3 or 4 years ago, IIRC...

I followed the following tutorial to set up my initial cdo-server: wiki.eclipse.org/Setting_up_a_CDO_Server. It wasn't looking too old at first sight Sad
Re: [CDO] Set up security manager [message #1005724 is a reply to message #1005481] Mon, 28 January 2013 12:09 Go to previous messageGo to next message
Pierre Gaufillet is currently offline Pierre Gaufillet
Messages: 30
Registered: July 2009
Member
[quote title=Eike Stepper wrote on Fri, 25 January 2013 10:53]Am 25.01.2013 15:57, schrieb Pierre Gaufillet:
Eike Stepper wrote on Wed, 23 January 2013 05:21
Am 23.01.2013 10:59, schrieb Pierre Gaufillet:
>> > - How to set up a password for users? It seems impossible through the tree editor. > > Does it need to be done using the API?
>> There's User.setPassword(UserPassword), which is the setter of a *containment reference* . It should be available in the
> UI, too.
>
> In fact, I still don't see a mean to change password in the UI Sad
> right-clic on a user/new child give only a grayed "Password" item and Annotation.
Ah, I remember now: I didn't do anything yet concerning the password management. I expected that these are set through
server API. It seems like a missing functionality, which is probably not too easy to design and implement such that it's
secure. Any thoughts on how this should appear to users/admins?


Well, Users may do this through an item in the menu of the CDO Sessions view, once logged in. Administrators would need to do it through the Realm editor, on the User object. This one should probably completely mask the default Password creation item.
In term of security, I guess it has already been solved in some way for the login stage of CDO sessions? The way password is to be transfered from client to server should be equivalent to it.
Re: [CDO] Set up security manager [message #1005757 is a reply to message #1005724] Mon, 28 January 2013 15:16 Go to previous messageGo to next message
Pierre Gaufillet is currently offline Pierre Gaufillet
Messages: 30
Registered: July 2009
Member
Eike,

your last commit has improved greatly the robustness and usability of the security manager. I have been able to test it further, and of course I have now a full new bunch of remarks and suggestions Wink

  • User default rights: in SecurityManager, I see:
      protected CDOPermission getPermission(CDORevision revision, CDORevisionProvider revisionProvider,
          CDOBranchPoint securityContext, User user)
      {
        CDOPermission result = convertPermission(user.getDefaultAccess());
        if (result == CDOPermission.WRITE)
        {
          return result;
        }
    
        EList<Permission> allPermissions = user.getAllPermissions();
        for (Permission permission : allPermissions)
        {
          CDOPermission p = convertPermission(permission.getAccess());
          if (p.ordinal() <= result.ordinal())
    ...
    

    if I understand correctly this code, it means that if the default access right for a given user is WRITE, then it replaces any other right that may have been defined elsewhere for this guy. It is disturbing, as most of the time default rights apply, well... when there is no other applicable right. I would therefore rather move this code to the end of the method and would not only return WRITE, but also READ and NONE access rights.
  • ClassPermission.isApplicable() should take care of inheritance. When you give write access to ENamedElement for exemple, you expect that EClassifier will inherit this right. Strict application may nevertheless be an option.
  • ClassPermission: it would be nice to have nested StructuralFeaturePermission allowing to refine access right in a given Class, with a default feature right access defined in the ClassPermission.
  • Security / Server life cycle: it seems that modifications in the security resource are only reloaded when the server is restarted. If it is really so, it is really annoying: an action should be provided to reload it on demand, or changes should be automatically reloaded after they have been committed.
  • CDO editor: "Create child" actions should be grayed (or optionally removed) when the user has no right to create them. Currently, it is possible to create objects in a resource even if you do not have the write access, but the modification are rejected in block at commit time: it is quite frustrating.

Of course, I would be pleased to submit tickets if you think it is appropriate.

Pierre
Re: [CDO] Set up security manager [message #1005793 is a reply to message #1005724] Mon, 28 January 2013 18:32 Go to previous messageGo to next message
Eike Stepper is currently offline Eike Stepper
Messages: 5527
Registered: July 2009
Senior Member
Am 28.01.2013 13:09, schrieb Pierre Gaufillet:
> [quote title=Eike Stepper wrote on Fri, 25 January 2013 10:53]Am 25.01.2013 15:57, schrieb Pierre Gaufillet:
> Eike Stepper wrote on Wed, 23 January 2013 05:21
>> Am 23.01.2013 10:59, schrieb Pierre Gaufillet:
>> >> > - How to set up a password for users? It seems impossible through the tree editor. > > Does it need to be done
>> using the API?
>> >> There's User.setPassword(UserPassword), which is the setter of a *containment reference* . It should be available
>> in the > UI, too.
>> >
>> > In fact, I still don't see a mean to change password in the UI :(
>> > right-clic on a user/new child give only a grayed "Password" item and Annotation.
>> Ah, I remember now: I didn't do anything yet concerning the password management. I expected that these are set
>> through server API. It seems like a missing functionality, which is probably not too easy to design and implement
>> such that it's secure. Any thoughts on how this should appear to users/admins?
>
>
> Well, Users may do this through an item in the menu of the CDO Sessions view, once logged in.
Good idea. Can you please submit an enhancement request?

> Administrators would need to do it through the Realm editor, on the User object.
It strikes me that Administrators should neither read user passwords nor set specific ones (that they would know then).
What about an action to just reset them to some newly generated one that is expected to be changed by the user later on?

> This one should probably completely mask the default Password creation item.
What do you mean by "mask"?

> In term of security, I guess it has already been solved in some way for the login stage of CDO sessions? The way
> password is to be transfered from client to server should be equivalent to it.
No, that's really different. There it's a Diffie-Hellman based challenge/response protocol that is initiated by the server.

Cheers
/Eike

----
http://www.esc-net.de
http://thegordian.blogspot.com
http://twitter.com/eikestepper
Re: [CDO] Set up security manager [message #1005825 is a reply to message #1005793] Mon, 28 January 2013 20:58 Go to previous messageGo to next message
Pierre Gaufillet is currently offline Pierre Gaufillet
Messages: 30
Registered: July 2009
Member
[quote title=Eike Stepper wrote on Mon, 28 January 2013 13:32]Am 28.01.2013 13:09, schrieb Pierre Gaufillet:
Eike Stepper wrote on Fri, 25 January 2013 10:53
Am 25.01.2013 15:57, schrieb Pierre Gaufillet:
>> > In fact, I still don't see a mean to change password in the UI Sad
>> > right-clic on a user/new child give only a grayed "Password" item and Annotation.
>> Ah, I remember now: I didn't do anything yet concerning the password management. I expected that these are set
>> through server API. It seems like a missing functionality, which is probably not too easy to design and implement
>> such that it's secure. Any thoughts on how this should appear to users/admins?
>
>
> Well, Users may do this through an item in the menu of the CDO Sessions view, once logged in.
Good idea. Can you please submit an enhancement request?


Done in ticket #399306.

Quote:

> Administrators would need to do it through the Realm editor, on the User object.
It strikes me that Administrators should neither read user passwords nor set specific ones (that they would know then).
What about an action to just reset them to some newly generated one that is expected to be changed by the user later on?


And how do you transmit this new password to the user? Smile
I think Administrators are to be trusted: I suggest therefore to keep a simple schema in this case. The only difference is that the Administrator can change any password without knowing the former one.

Quote:

> This one should probably completely mask the default Password creation item.
What do you mean by "mask"?

"Replace" would be better I guess.
Re: [CDO] Set up security manager [message #1005857 is a reply to message #1005825] Tue, 29 January 2013 05:59 Go to previous messageGo to next message
Eike Stepper is currently offline Eike Stepper
Messages: 5527
Registered: July 2009
Senior Member
Am 28.01.2013 21:58, schrieb Pierre Gaufillet:
> [quote title=Eike Stepper wrote on Mon, 28 January 2013 13:32]Am 28.01.2013 13:09, schrieb Pierre Gaufillet:
> Eike Stepper wrote on Fri, 25 January 2013 10:53
>> Am 25.01.2013 15:57, schrieb Pierre Gaufillet:
>> >> > In fact, I still don't see a mean to change password in the UI :(
>> >> > right-clic on a user/new child give only a grayed "Password" item and Annotation.
>> >> Ah, I remember now: I didn't do anything yet concerning the password management. I expected that these are set >>
>> through server API. It seems like a missing functionality, which is probably not too easy to design and implement >>
>> such that it's secure. Any thoughts on how this should appear to users/admins?
>> >
>> >
>> > Well, Users may do this through an item in the menu of the CDO Sessions view, once logged in. Good idea. Can you
>> please submit an enhancement request?
>
>
> Done in ticket https://bugs.eclipse.org/bugs/show_bug.cgi?id=399306.
Thx.

>
> Quote:
>> > Administrators would need to do it through the Realm editor, on the User object. It strikes me that Administrators should neither read user passwords
>> nor set specific ones (that they would know then). What about an action to just reset them to some newly generated
>> one that is expected to be changed by the user later on?
>
>
> And how do you transmit this new password to the user? :)
That's a major challenge which I have no answer for at this point ;-(

> I think Administrators are to be trusted:
I have to totally disagree with this assertion. I wouldn't want an administrator to have access to my secure bank
account or credit card information. Or a hacker who compromised the admin password to have access to *all* user
passwords. I doubt that a linux root user can read user passwords and that should be a hint.

> I suggest therefore to keep a simple schema in this case.
As simple as adequate, but no simpler :P

> The only difference is that the Administrator can change any password without knowing the former one.
I think the most fundamental rule is: Noone (I repeat, noone!) except a user should have read access to this user's
password.

What brings us back to your first question: How is a new, random password that's been set by the admin (without actually
seeing or knowing it) made available to the user?

Cheers
/Eike

----
http://www.esc-net.de
http://thegordian.blogspot.com
http://twitter.com/eikestepper
Re: [CDO] Set up security manager [message #1005943 is a reply to message #1005857] Tue, 29 January 2013 11:21 Go to previous messageGo to next message
Pierre Gaufillet is currently offline Pierre Gaufillet
Messages: 30
Registered: July 2009
Member
Eike Stepper wrote on Tue, 29 January 2013 00:59
> Quote:
>> > Administrators would need to do it through the Realm editor, on the User object. It strikes me that Administrators should neither read user passwords
>> nor set specific ones (that they would know then). What about an action to just reset them to some newly generated
>> one that is expected to be changed by the user later on?
>
>
> And how do you transmit this new password to the user? Smile
That's a major challenge which I have no answer for at this point ;-(

> I think Administrators are to be trusted:
I have to totally disagree with this assertion. I wouldn't want an administrator to have access to my secure bank
account or credit card information. Or a hacker who compromised the admin password to have access to *all* user
passwords. I doubt that a linux root user can read user passwords and that should be a hint.

I am not talking about read access, but write access. Administrators may only be able to impose a new password, not read it. This is something any Unix admin can do (admin who by the way can take the identity of any user in the system without knowing their password Smile ).

Alternatives are more complex. In the login dialog:

  • Either propose sending a reinitialized password to the email address (or cellphone number) of the user (if known). The account is locked as long as this password has not been changed by the user. Inconvenient: you need to connect the CDO server to a SMTP server (or SMS service), and to have a known email address (or phone number).
  • Or propose answering to some secret questions that have been previously defined by the user. If the answers are corrects, prompt for a new password. If not, rely on the method above.

But if none of these approach works, I am afraid we have to rely on a trusted third party :-/ In a lot of deployment cases, the first option won't be available.

Now, why not proposing several levels of security or mechanisms, depending on your requirements? It may be options of your cdo-server.xml or security realm?

Note that all this discussion also applies to the creation of CDO user accounts and privilege settings.

Pierre
Re: [CDO] Set up security manager [message #1005957 is a reply to message #1005943] Tue, 29 January 2013 12:04 Go to previous messageGo to next message
Eike Stepper is currently offline Eike Stepper
Messages: 5527
Registered: July 2009
Senior Member
Am 29.01.2013 12:21, schrieb Pierre Gaufillet:
> Eike Stepper wrote on Tue, 29 January 2013 00:59
>> > Quote:
>> >> > Administrators would need to do it through the Realm editor, on the User object. It strikes me that
>> Administrators should neither read user passwords >> nor set specific ones (that they would know then). What about an
>> action to just reset them to some newly generated >> one that is expected to be changed by the user later on?
>> >
>> >
>> > And how do you transmit this new password to the user? :)
>> That's a major challenge which I have no answer for at this point ;-(
>>
>> > I think Administrators are to be trusted: I have to totally disagree with this assertion. I wouldn't want an
>> administrator to have access to my secure bank account or credit card information. Or a hacker who compromised the
>> admin password to have access to *all* user passwords. I doubt that a linux root user can read user passwords and
>> that should be a hint.
>
> I am not talking about read access, but write access. Administrators may only be able to impose a new password, not
> read it. This is something any Unix admin can do (admin who by the way can take the identity of any user in the system
> without knowing their password :) ).
That's an interesting point! It makes me aware that I have to rephrase my original assertion: If a password is set by a
user then noone else must be able to gain knowledge of it. The reason is obvious, that user might use it with other systems.

This opens the door for the following approach: Noone can read passwords (probably best to just store a hash of it). A
user can change it at any time, perhaps by repeating the old password again. An admin can change the password of any
user without repeating the old password of that user. It's the admin's responsibility to inform the user about the new
password and remind him to change it again as quickly as possible.

That may be what you had in mind ;-)

>
> Alternatives are more complex. In the login dialog:
>
> Either propose sending a reinitialized password to the email address (or cellphone number) of the user (if known). The
> account is locked as long as this password has not been changed by the user. Inconvenient: you need to connect the CDO
> server to a SMTP server (or SMS service), and to have a known email address (or phone number).
> Or propose answering to some secret questions that have been previously defined by the user. If the answers are
> corrects, prompt for a new password. If not, rely on the method above.
>
> But if none of these approach works, I am afraid we have to rely on a trusted third party :-/ In a lot of deployment
> cases, the first option won't be available.
>
> Now, why not proposing several levels of security or mechanisms, depending on your requirements? It may be options of
> your cdo-server.xml or security realm?
>
> Note that all this discussion also applies to the creation of CDO user accounts
Well, they're currently created by an admin or through server-side application code. So yes, the admin would also know
it for a while and would have to inform the user.

> and privilege settings.
How's that related?

Cheers
/Eike

----
http://www.esc-net.de
http://thegordian.blogspot.com
http://twitter.com/eikestepper
Re: [CDO] Set up security manager [message #1005978 is a reply to message #1005957] Tue, 29 January 2013 13:07 Go to previous messageGo to next message
Pierre Gaufillet is currently offline Pierre Gaufillet
Messages: 30
Registered: July 2009
Member
Eike Stepper wrote on Tue, 29 January 2013 07:04
Am 29.01.2013 12:21, schrieb Pierre Gaufillet:
> Eike Stepper wrote on Tue, 29 January 2013 00:59
>> > Quote:
>> >> > Administrators would need to do it through the Realm editor, on the User object. It strikes me that
>> Administrators should neither read user passwords >> nor set specific ones (that they would know then). What about an
>> action to just reset them to some newly generated >> one that is expected to be changed by the user later on?
>> >
>> >
>> > And how do you transmit this new password to the user? Smile
>> That's a major challenge which I have no answer for at this point ;-(
>>
>> > I think Administrators are to be trusted: I have to totally disagree with this assertion. I wouldn't want an
>> administrator to have access to my secure bank account or credit card information. Or a hacker who compromised the
>> admin password to have access to *all* user passwords. I doubt that a linux root user can read user passwords and
>> that should be a hint.
>
> I am not talking about read access, but write access. Administrators may only be able to impose a new password, not
> read it. This is something any Unix admin can do (admin who by the way can take the identity of any user in the system
> without knowing their password Smile ).
That's an interesting point! It makes me aware that I have to rephrase my original assertion: If a password is set by a
user then noone else must be able to gain knowledge of it. The reason is obvious, that user might use it with other systems.

This opens the door for the following approach: Noone can read passwords (probably best to just store a hash of it). A
user can change it at any time, perhaps by repeating the old password again. An admin can change the password of any
user without repeating the old password of that user. It's the admin's responsibility to inform the user about the new
password and remind him to change it again as quickly as possible.

That may be what you had in mind Wink

You are right: that's it Smile .

Quote:

> Note that all this discussion also applies to the creation of CDO user accounts
Well, they're currently created by an admin or through server-side application code. So yes, the admin would also know
it for a while and would have to inform the user.

...and taking into account the discussion above, this is perfectly acceptable.

Quote:

> and privilege settings.
How's that related?

You can forget about it for now: I was wondering what would happen if a user asks for a new account without the intervention of an administrator.

Pierre
Re: [CDO] Set up security manager [message #1012465 is a reply to message #1005978] Thu, 21 February 2013 15:56 Go to previous messageGo to next message
Marc Gil is currently offline Marc Gil
Messages: 81
Registered: July 2009
Member
Hi,

I'm using CDO 4.2 M5 (S20130205-0640), and I'm having problems when use a created User. The problem appears when I start a session using a new created user, that doesn't have any password. An exception appears in the SessionManager$Authenticator class when try to get the password text from a non existent password element for this user.

Concretelly in the line 605 of the SecurityManager class.

java.lang.SecurityException: java.lang.NullPointerException
	at org.eclipse.emf.cdo.internal.server.SessionManager.authenticateUser(SessionManager.java:425)
	at org.eclipse.emf.cdo.internal.server.SessionManager.openSession(SessionManager.java:192)
	at org.eclipse.emf.cdo.server.internal.net4j.protocol.OpenSessionIndication.responding(OpenSessionIndication.java:125)


If this is not solved, the only way to set a password is directly on the DB...

In the case no password is set to the user, I think that a dialog should appear asking the new password for the user. With this, you can ensure first that the administrator doesn't set the password of the user, and the second that the user can login to the repository.

Best regards,
Marc Gil
Re: [CDO] Set up security manager [message #1012781 is a reply to message #1012465] Fri, 22 February 2013 08:11 Go to previous messageGo to next message
Eike Stepper is currently offline Eike Stepper
Messages: 5527
Registered: July 2009
Senior Member
Am 21.02.2013 16:56, schrieb Marc Gil:
> Hi,
>
> I'm using CDO 4.2 M5 (S20130205-0640), and I'm having problems when use a created User. The problem appears when I
> start a session using a new created user, that doesn't have any password. An exception appears in the
> SessionManager$Authenticator class when try to get the password text from a non existent password element for this user.
>
> Concretelly in the line 605 of the SecurityManager class.
>
> java.lang.SecurityException: java.lang.NullPointerException
> at org.eclipse.emf.cdo.internal.server.SessionManager.authenticateUser(SessionManager.java:425)
> at org.eclipse.emf.cdo.internal.server.SessionManager.openSession(SessionManager.java:192)
> at org.eclipse.emf.cdo.server.internal.net4j.protocol.OpenSessionIndication.responding(OpenSessionIndication.java:125)
>
> If this is not solved, the only way to set a password is directly on the DB...
>
> In the case no password is set to the user, I think that a dialog should appear asking the new password for the user.
> With this, you can ensure first that the administrator doesn't set the password of the user, and the second that the
> user can login to the repository.
Pierre has written a nice tutorial on CDO's security model: http://wiki.eclipse.org/CDO/Security_Manager

Can you please check if your points do belong to any of the bugzillas he's already filed and possibly comment there?
Thanks;-)

Cheers
/Eike

----
http://www.esc-net.de
http://thegordian.blogspot.com
http://twitter.com/eikestepper
Re: [CDO] Set up security manager [message #1012812 is a reply to message #1012781] Fri, 22 February 2013 09:08 Go to previous messageGo to next message
Marc Gil is currently offline Marc Gil
Messages: 81
Registered: July 2009
Member
Hi Eike!

Yes, it's a very very nice tutorial from Pierre Very Happy Because of this tutorial, I get finally to understand how to use the security in CDO Smile

I didn't check if exists any bug regarding this error, cause I assume that as the last message of this thread is dated at 29 January, and the CDO version I'm using is the last one available (the generated on 5 February), this problem is not really solved. So maybe I should register a bugzilla, isn't it? I have debugged the code and I found the error at the line 605 of the SecurityManager class, as I commented in my previous message.

Thanks!!
Marc
Re: [CDO] Set up security manager [message #1014614 is a reply to message #1012812] Tue, 26 February 2013 06:41 Go to previous message
Eike Stepper is currently offline Eike Stepper
Messages: 5527
Registered: July 2009
Senior Member
Am 22.02.2013 10:08, schrieb Marc Gil:
> Hi Eike!
>
> Yes, it's a very very nice tutorial from Pierre :d Because of this tutorial, I get finally to understand how to use
> the security in CDO :)
>
> I didn't check if exists any bug regarding this error, cause I assume that as the last message of this thread is dated
> at 29 January, and the CDO version I'm using is the last one available (the generated on 5 February), this problem is
> not really solved.
No, I didn't work in this area since.

> So maybe I should register a bugzilla, isn't it?
Yes, if you think it won't be a duplicate of one of Pierres' bugs.

> I have debugged the code and I found the error at the line 605 of the SecurityManager class, as I commented in my
> previous message.
Patches (on bugzillas) are highly appreciated ;-)

Cheers
/Eike

----
http://www.esc-net.de
http://thegordian.blogspot.com
http://twitter.com/eikestepper
Previous Topic:[CDO] How to register a Resource Opener
Next Topic:[CDO] Can only retrieve current version
Goto Forum:
  


Current Time: Wed Oct 01 06:00:03 GMT 2014

Powered by FUDForum. Page generated in 0.53145 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software