Secret projects for specific users

[chkp-baselz]

Hey Vlad and all :)
I was trying to grant access to a project for a specific user only, I saw a way within changing web.xml
The app for now is accessible only for all RnD users using LDAP, and it's working very well

I'm trying to block baselOpenGrokTest2 project for other users and only valid for 'baselz' user
but I'm getting forbidden request

Web.xml:

<security-constraint>
<web-resource-collection>
<web-resource-name>Site</web-resource-name>
  <url-pattern>/api/v1/search</url-pattern> <!-- protect search endpoint whitelisted above -->
  <url-pattern>/api/v1/suggest/*</url-pattern> <!-- protect suggest endpoint whitelisted above -->
  <url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
  <role-name>RnD</role-name>
</auth-constraint>
</security-constraint>

<security-constraint>
<web-resource-collection>
  <web-resource-name>My Repo</web-resource-name>
  <url-pattern>/xref/baselOpenGrokTest2/*</url-pattern>
</web-resource-collection>
<auth-constraint>
  <role-name>developer</role-name>
</auth-constraint>
</security-constraint>

<role>
<description>My Role</description>
<role-name>developer</role-name>
</role>

<user>
<description>My User</description>
<role-name>developer</role-name>
<username>baselz</username>
</user>

<login-config>
<auth-method>BASIC</auth-method>
</login-config>

<security-role>
<role-name>RnD</role-name>
</security-role>

By localhost_access_log I can user baselz is getting 403 for baselOpenGrokTest2 access

- baselz [09/Jan/2023:13:03:02 +0200] "GET /source/xref/automation_testing HTTP/1.1" 302 -
- baselz [09/Jan/2023:13:03:02 +0200] "GET /source/xref/automation_testing/ HTTP/1.1" 304 -
- baselz [09/Jan/2023:13:03:03 +0200] "GET /source/api/v1/suggest/config HTTP/1.1" 200 376
- baselz [09/Jan/2023:13:03:09 +0200] "GET /source/xref/baselOpenGrokTest2 HTTP/1.1" 403 4525
- baselz [09/Jan/2023:13:15:03 +0200] "GET /source/ HTTP/1.1" 200 141567
- baselz [09/Jan/2023:13:15:04 +0200] "GET /source/api/v1/suggest/config HTTP/1.1" 200 376
- baselz [09/Jan/2023:13:15:14 +0200] "GET /source/xref/baselOpenGrokTest2 HTTP/1.1" 403 4525

Please help
Thank you

[vladak]

Attempting to configure authorization via Tomcat constraints is not supported and in fact I'd discourage anyone from doing so because eventually there will be some gap that is not covered by the Tomcat configuration. For example, the above configuration is missing the /history.

Proper way of configuring the authorization layer is to use the authorization framework