Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move authentification and authorization from frontend to service #1

Merged
merged 35 commits into from
Oct 30, 2012
Merged

Move authentification and authorization from frontend to service #1

merged 35 commits into from
Oct 30, 2012

Conversation

thomaskrause
Copy link
Owner

Until now the annis-gui was responsible for authentification and authorization. The annis-service itself was not secured at all (other than only listening to localhost).

This branch moves the responsibility to the service. Thus the search functionality can be exposed to the outer world using a HTTP proxy and the service.

The branch also replaces the self made security manager with the Apache Shiro library. This powerful external library has several advantages

  • powerful abstraction and more fine grained access control (e.g. only allow count but not subgraph retrievial for a specific user)
  • much more tested implementation
  • support for salted passwords
  • integration of other authentification techniques like LDAP
  • administrator can configure the security model with the shiro.ini file

@thomaskrause
dummy "test:test" Realm which protects alls URLs
55ccd13 
(just an Apache Shiro integration test)
@thomaskrause
Merge remote-tracking branch 'origin/master' into shiro
4d43250 
Conflicts:
	annis-service/src/main/java/annis/service/internal/AnnisServiceRunner.java
@thomaskrause
new files where not moved when folder was moved
ab01bd4
@thomaskrause
secure the existing query functions
44c44b6
@thomaskrause
typo
ce068a0
@thomaskrause
Merge branch 'master' into shiro
42b71e6
@thomaskrause
default anonymous user implementation if no http authentification hea…
c94907b 
…der is set
@thomaskrause
only show corpora which the user is allowed to query in corpus list
d47aec1
@thomaskrause
preparing to add the possibility to store user configuration in the d…
eca3892 
…atabase
@thomaskrause
Merge remote-tracking branch 'origin/master' into shiro
a648531
@thomaskrause
replacing NamedJdbcTemplate with more common JdcbTemplate
49c651c 
- most calls on jdbcTemplate use the getJdbcOperations() (which is more or ess equal to the JdbcTemplate) anyway
- also removing some unused functions
@thomaskrause
renamed annis resource path to annis-query in order not to conflict w…
bf76274 
…ith annis-admin

also implemented SQL queries for the user configuration storage/retrieval
@thomaskrause
storing did not work since json cast was missing and transaction was …
da9c56d 
…set to readonly
@thomaskrause
fixing the AnnisUserConfig serialization/deserializatioj
d7c32ec
@thomaskrause
updating jersey dependencies
a48cf4a
@thomaskrause
adjusting to new security model, no need to check corpus access on GU…
e6482e0 
…I side

for now this just compiles but is not checked for functionality :)
@thomaskrause
using multithreaded http handler and other fixes
121b012
@thomaskrause
BinaryServlet needs authorization too + other interface compilation r…
bc3fa8a 
…elated fixes
@thomaskrause
better error message if getting the corpus list ist forbidden
7a20a3b
@thomaskrause
more error handling and using update/conditional insert instead of al…
09c5ae6 
…ways deleting user config entry
@thomaskrause
Merge remote-tracking branch 'origin/master' into shiro
f8e3db7 
Conflicts:
	annis-service/src/main/java/annis/service/internal/AnnisServiceRunner.java
@thomaskrause
implementing an own Realm for the classical ANNIS user configuration
51afe6f
@thomaskrause
create fallback if unhashed sha256sum is used
995f12c
@thomaskrause
support anonymous user "login"
82eb63b
@thomaskrause
enable authorization caching
0c38667
@thomaskrause
also enable authentification cache
0311abf
@thomaskrause
small fixes
9356977 
- fixing user config update parameter order
- avoid reading user properties if anonymous user
@thomaskrause
fixing some stuff related to the corpus set selection
a32f78b 
- actually show the right corpora for a selection, there was some confusion with old code that made it non-working
@thomaskrause
store changes from corpus set on server
d6b383f
@thomaskrause
memory saving client implementation of WekaExporter (service still ne…
97fa783 
…eds improvements)
thomaskrause added a commit that referenced this pull request Oct 30, 2012
@thomaskrause
Merge pull request #1 from thomaskrause/shiro
3aff760 
Move authentification and authorization from frontend to service

Until now the annis-gui was responsible for authentification and authorization. The annis-service itself was not secured at all (other than only listening to localhost).

This branch moves the responsibility to the service. Thus the search functionality can be exposed to the outer world using a HTTP proxy and the service.

The branch also replaces the self made security manager with the Apache Shiro library. This powerful external library has several advantages

powerful abstraction and more fine grained access control (e.g. only allow count but not subgraph retrievial for a specific user)
much more tested implementation
support for salted passwords
integration of other authentification techniques like LDAP
administrator can configure the security model with the shiro.ini file
@thomaskrause thomaskrause merged commit 3aff760 into master Oct 30, 2012
thomaskrause added a commit that referenced this pull request Sep 29, 2013
@thomaskrause
fixed korpling#221
b06e782 
Precedence optimization fails when applied to spans which cover more than one token

Take e.g. this query on pcc2
NP & NP & NP &  #1 . #2 & #2 . #3

In ANNIS 2 this gave us 2 results, but since ANNIS 3 incorrectly applies the precedence optimization the query gets translated to

NP & NP & NP &  #1 . #2 & #2 . #3 & #1 . #3

and has only 1 match. The correct optimization would be

NP & NP & NP &  #1 . #2 & #2 . #3 & #1 .* #3

This commit adds proper test cases for this situation and gives a fix
thomaskrause added a commit that referenced this pull request Nov 5, 2013
@thomaskrause
splitting up listener for query nodes and for joins in order to allow…
a5cebcd 
… query like

#1 . #2 & node & node
thomaskrause added a commit that referenced this pull request Nov 20, 2013
@thomaskrause
use "==" operator for identiy in order to solve ambiguity when parsing
3e897e0 
tok="abc" . node

which could be either

tok="abc" & node & #1 . #2
or
tok & "abc" & node &  #1 = #2 & #2 . #3
thomaskrause pushed a commit that referenced this pull request Oct 15, 2014
@zangsir
Merge pull request #1 from korpling/develop
390495d 
update changes from korpling for September
thomaskrause added a commit that referenced this pull request Feb 15, 2016
@thomaskrause
AQL: don't allow non-binding operators "==" and "!=" directly between…
6efd4ae 
… node definitions.

This removes an ambiquity for the "!=" token. E.g.

tok!="the"

could be interpreted as "All token which don't have "the" as value" or as

tok & "the" & #1 != #2

The latter one is semantically invalid (no binding) so the ambiquity is solved by not allowing the AQL operator "!=" and "==" in short AQL definitions.

This fixes korpling#494.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@thomaskrause