mimaen
Reputation: 21
WSO2 Enterprise Store 1.0.0: access control
Assets on WSO2 ES are retrieved by a direct URL, without access control.
Despite not assign permissions to anonymous users, once a user have the URL to an asset, everyone knowing that URL can download the resource.
Is there any plan to implement access control to assets?
Upvotes: 0
Views: 67
Answers (1)
sameera
Reputation: 31
This seems to be a bug as the access rights are supposed to be checked before serving the resource. The list of allowed roles are specified in the configuration files found in the ext/config/ folder .An example of its usage can be found in /store/config/ext/gadget.json;
"storage": {
"images_banner": {
"lifecycle": {
"created": ["private_{overview_provider}"],
"in-review": ["reviewer", "private_{overview_provider}"],
"published": ["Internal/everyone", "private_{overview_provider}", "reviewer","anon"],
"unpublished": ["private_{overview_provider}"]
}
},
"images_thumbnail": {
"lifecycle": {
"created": ["private_{overview_provider}"],
"in-review": ["reviewer", "private_{overview_provider}"],
"published": ["Internal/everyone", "private_{overview_provider}", "reviewer","anon"],
"unpublished": ["private_{overview_provider}"]
}
}
}
I have logged a JIRA for this issue [1] and we will have it fixed in the next release.
[1] https://wso2.org/jira/browse/STORE-383
Thanks, Sameera
Upvotes: 2
Related Questions
- How to set up an endpoint security using wso2 api manager rest apis (NOT Publisher web portal)
- Role-based Permissions
- how to configure a basic auth security policy in wso2
- WSO2 - SaaS Service Provider Permissions in a Multitenant environment
- How to authorize particular users in wso2?
- WSO2 - Policy Management (XACML) using API
- How do we implement this ws-security policy in WSO2 ESB 5.0
- WSO2 Identity Server Authorization Service
- WSO2 Enterprise Store 1.0.0: security
- Secure WSO2 AS with WSO2 IS