Securing the Admin UI
This page applies to sites using the Acegi security provider but should be adaptable for other security providers provided the appropriate URL’s are secured
The Administration GUI can be accessed from the /weave/admin.html URL once the Weave instance is running.
To secure access to the GUI you need to edit the security.xml file and add three entries to the list of paths that need to be secure.
Three new entries for the resources used by the admin UI need to be added to the filterInvocationInterceptor.
In a default Weave installation the final entry in this list should be:/**=IS_AUTHENTICATED_ANONYMOUSLY
To secure the administration GUI you need to add three new entries before that one. /admin.html=ROLE_ADMIN/admin/**=ROLE_ADMIN/services/admin/**=ROLE_ADMIN
Note that ROLE_ADMIN may need to change depending upon how you've updated the authentication in the rest of the security.xml file.
The role represents a group that the user must belong to before they can access the Administration GUI. For example, if you're using the default users.properties file then the following entries will grant access to Bob and Ted, but not Alice:bob=password,ROLE_ADMINted=password,ROLE_ADMIN,ROLE_USER,ROLE_GIS,ROLE_PLANNINGalice=password,ROLE_USER,ROLE_GIS,ROLE_PLANNING
If you're using LDAP, Active Directory or some other authentication mechanism then the role you need to set will be based on the groups the user is granted based on those authentication sources. These roles are the same ones that you would use when creating an ACL within Weave itself.
Restricting access to individual tools
It’s possible, in version 2.6.11 or later, to restrict access to individual tools within the Admin UI, so that even is a user has access to the Admin UI they may not have access to all of the tools.
Do do this you must create an ACL with the id acl.admin.<toolid> where the <toolid> is the unique id of the tool that you wish to restrict access to. Note that if there is no ACL defined with the id of a given tool the tool will be available to everyone.
At the time of writing the available tools ids are:bookmarks, bundles, config, console, dataexplorer, fileexplorer, health, index, links, log, logout, mapexplorer, notepad, spatialexplorer, sql, status, support, token.
Note that the current list of admin tools available will be output to the log when loading the Admin UI if the log level is set to DEBUG, e.g.14:48:08.888 DEBUG Available Admin tools: [bookmarks, bundles, config, console, dataexplorer, fileexplorer, health, index, links, log, logout, mapexplorer, notepad, spatialexplorer, sql, status, support, token] (AdminProvider.java:178) [qtp472850438-318]
<?xml version="1.0" encoding="UTF-8"?>
<config xmlns="urn:com.cohga.server.config#1.0" xmlns:acl="urn:com.cohga.server.acl#1.0"
<!-- Only allow JWT token generation by Super users -->
<acl:acl id="acl.admin.token">
<acl:entry type="allow">ROLE_SUPERUSER</acl:entry>
<acl:entry type="deny">*</acl:entry>
</acl:acl>
<!-- Only allow Super users and Support users the ability to generate support dumps -->
<acl:acl id="acl.admin.support">
<acl:entry type="allow">ROLE_SUPPORT</acl:entry>
<acl:entry type="allow">ROLE_SUPERUSER</acl:entry>
<acl:entry type="deny">*</acl:entry>
</acl:acl>
<!-- completely remove access to the Data SQL tool -->
<acl:acl id="acl.admin.sql">
<acl:entry type="deny">*</acl:entry>
</acl:acl>
</config>