Restricting access to Release Automation SWAGGER API to SUPERUSER ROLE

book

Article ID: 198186

calendar_today

Updated On:

Products

CA Release Automation - Release Operations Center (Nolio) CA Release Automation - DataManagement Server (Nolio)

Issue/Introduction

How can we restrict usage of SWAGGER API to superuser role only.

Environment

Release : 6.6

Component : CA RELEASE AUTOMATION CORE

Resolution

To restrict access to SWAGGER API is viable via Spring Security context configuration.The configuration file can be found in "/datamanagement/WEB-INF" and is called applicationContext-acegi-security.xml
 
By default there are two profiles: "basic" and "saml" because the entrypoint URL is different for users logging in normally and through SAML so it would be safe to change configuration for both of them.
 
Steps to restrict access to SWAGGER API
 
1: Create a backup of the file \ReleaseAutomationServer\webapps\datamanagement\WEB-INF\applicationContext-acegi-security.xml
2: Open the file \ReleaseAutomationServer\webapps\datamanagement\WEB-INF\applicationContext-acegi-security.xml in edit mode
3: Search and find <b:beans profile="basic"> and add the URL pattern to be restricted to specific role. For restricting access to SWAGGER API the URL pattern will be /apis/public.html for agent upgrade /a/api/v3/upgrade-agents. Below highlighted section is the one restricting access to the mentioned API's to SUPERUSER role.
 
Intercept URL added are 
    • <intercept-url pattern="/apis/public.html" access="ROLE_SUPERUSER"/>
    • <intercept-url pattern="/a/api/v3/upgrade-agents" access="ROLE_SUPERUSER"/>
 
<b:beans profile="basic">
    <http auto-config="true" entry-point-ref="delegatingAuthenticationEntryPoint" realm="center-realm" disable-url-rewriting="true">
<intercept-url pattern="/apis/public.html" access="ROLE_SUPERUSER"/>
<intercept-url pattern="/a/api/v3/upgrade-agents" access="ROLE_SUPERUSER"/>
<intercept-url pattern="/login.jsp*" access="IS_AUTHENTICATED_ANONYMOUSLY"  />   <!--filters="none"-->
<intercept-url pattern="/actionshelp.jsp*" access="ROLE_LDAP,ROLE_SUPERUSER,ROLE_USER,ROLE_SYS_ADMIN,ROLE_USER_ADMIN"  />   <!--filters="none"-->
        <intercept-url pattern="/actionshelpxml.jsp*" access="ROLE_LDAP,ROLE_SUPERUSER,ROLE_USER,ROLE_SYS_ADMIN,ROLE_USER_ADMIN"  />   <!--filters="none"-->
<!-- <intercept-url pattern="/a/*" filters="none"  />   &lt;!&ndash;filters="none"&ndash;&gt;-->
<intercept-url pattern="/tail-process.jsp*" access="ROLE_LDAP,ROLE_SUPERUSER,ROLE_USER,ROLE_SYS_ADMIN,ROLE_USER_ADMIN"  />
<intercept-url pattern="/a/**" access="ROLE_LDAP,ROLE_SUPERUSER,ROLE_USER,ROLE_SYS_ADMIN,ROLE_USER_ADMIN"  />
<intercept-url pattern="/design/**" access="ROLE_LDAP,ROLE_SUPERUSER,ROLE_USER,ROLE_SYS_ADMIN,ROLE_USER_ADMIN"  />
<intercept-url pattern="/ra/**" access="ROLE_LDAP,ROLE_SUPERUSER,ROLE_USER,ROLE_SYS_ADMIN,ROLE_USER_ADMIN"  />
<intercept-url pattern="/websocket/**" access="ROLE_LDAP,ROLE_SUPERUSER,ROLE_USER,ROLE_SYS_ADMIN,ROLE_USER_ADMIN"  />
<intercept-url pattern="/asaprest/**" access="ROLE_LDAP,ROLE_SUPERUSER,ROLE_USER,ROLE_SYS_ADMIN,ROLE_USER_ADMIN"  />
<intercept-url pattern="/reporting/**" access="ROLE_LDAP,ROLE_SUPERUSER,ROLE_USER,ROLE_SYS_ADMIN,ROLE_USER_ADMIN"  />
<intercept-url pattern="/reports/**" access="ROLE_LDAP,ROLE_SUPERUSER,ROLE_USER,ROLE_SYS_ADMIN,ROLE_USER_ADMIN"  />
<intercept-url pattern="/monitoringui.html*" access="ROLE_LDAP,ROLE_SUPERUSER,ROLE_USER,ROLE_SYS_ADMIN,ROLE_USER_ADMIN" />
<intercept-url pattern="/monitoringui.html" access="ROLE_LDAP,ROLE_SUPERUSER,ROLE_USER,ROLE_SYS_ADMIN,ROLE_USER_ADMIN" />
<intercept-url pattern="/monitoringui/**" access="ROLE_LDAP,ROLE_SUPERUSER,ROLE_USER,ROLE_SYS_ADMIN,ROLE_USER_ADMIN" />
 
<intercept-url pattern="/" access="ROLE_LDAP,ROLE_SUPERUSER,ROLE_USER,ROLE_SYS_ADMIN,ROLE_USER_ADMIN" />
<intercept-url pattern="/index.jsp*" access="ROLE_LDAP,ROLE_SUPERUSER,ROLE_USER,ROLE_SYS_ADMIN,ROLE_USER_ADMIN" />
<intercept-url pattern="/index.jsp"  access="ROLE_LDAP,ROLE_SUPERUSER,ROLE_USER,ROLE_SYS_ADMIN,ROLE_USER_ADMIN" />
<intercept-url pattern="/index.html*" access="ROLE_LDAP,ROLE_SUPERUSER,ROLE_USER,ROLE_SYS_ADMIN,ROLE_USER_ADMIN" />
<intercept-url pattern="/index.html"  access="ROLE_LDAP,ROLE_SUPERUSER,ROLE_USER,ROLE_SYS_ADMIN,ROLE_USER_ADMIN" />
<intercept-url pattern="/scripts/**" access="ROLE_LDAP,ROLE_SUPERUSER,ROLE_USER,ROLE_SYS_ADMIN,ROLE_USER_ADMIN" />
 
<form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?login_error=1"  default-target-url="/" always-use-default-target="false" />
<anonymous />
<http-basic />
<csrf request-matcher-ref="csrfSessionRequestMatcher"/>
<custom-filter after="BASIC_AUTH_FILTER" ref="runAsFilter" />
<custom-filter ref="masterNacIdentifierInterceptor" after="LAST"/>
<!--<logout logout-success-url="/login.jsp" logout-url="/logout.jsp" invalidate-session="true"/>-->
<logout logout-success-url="/login.jsp" invalidate-session="true"/>
<custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
<session-management session-authentication-strategy-ref="sas">
<!--<concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />-->
</session-management>
</http>
 
4: Save the file and restart the server
5: Try to access SWAGGER API as non superuser and you will get access denied error.
 
 

Additional Information

Above configuration will restrict access to SWAGGER page as a whole and to upgrade-agents API in particular for any role other than superuser with basic profile. For SAML profile please add appropriate configuration in same file under SAML section.