|
Re: [CDO] Security aspects for access rights [message #1780037 is a reply to message #1780011] |
Tue, 16 January 2018 17:21 |
|
Robert Schulk wrote on Tue, 16 January 2018 15:17Hi all,
has there ever been any analysis/review of the security for access to the CDO database?
I'm not aware of any such analysis.
Robert Schulk wrote on Tue, 16 January 2018 15:17Is the security implementation CDO specific or are there off-the-shelf components used for critical parts?
That depends a little bit on what "security" is for you. Let's assume that security is a combinatoin of authentication and authorization.
Authentication in CDO is implemented with a Diffie-Hellman protocol (see org.eclipse.net4j.util.security.DiffieHellman) that allows clients to hook in a credentials provider (see org.eclipse.emf.cdo.session.CDOSessionConfiguration.setCredentialsProvider) and allows the server to hook in an authenticator (see org.eclipse.emf.cdo.server.ISessionManager.setAuthenticator).
For authorization there exist a number of hooks in the server. The most important ones are write access handlers (see org.eclipse.emf.cdo.server.IRepository.addHandler) and permission managers (see org.eclipse.emf.cdo.spi.server.InternalSessionManager.setPermissionManager). They're all a bit low-level, but there's a nice default implementation in org.eclipse.emf.cdo.server.internal.security.SecurityManager, which is documented in https://wiki.eclipse.org/CDO/Security_Manager .
Robert Schulk wrote on Tue, 16 January 2018 15:17The general question that I am asking myself is: could I expose a CDO server directly to the internet, or would it be wise to use some VPN or similar on top?
Hard to decide without knowing about your specific concerns. I'd say, the more restrictions on networking level the better ;-)
Cheers
/Eike
----
http://www.esc-net.de
http://thegordian.blogspot.com
http://twitter.com/eikestepper
|
|
|
Powered by
FUDForum. Page generated in 0.03110 seconds